Moribundo
/
Scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Mis scripts

This commit is contained in:
Moribundo 2020-05-08 15:16:09 +02:00
parent 9e9f8bbc5a
commit 1f0d7a2aae
23 changed files with 1876 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Backup-rsync.sh Normal file
View File

@ -0,0 +1,55 @@
#!/bin/bash
clear
# rsync -Pavh --exclude-from=file Tmp proba
# Si ponemos Tmp/ solo copiará los archivos de Tmp, no la carpeta entera
echo " ###################################"
echo "## ##"
echo "## SCRIPT COPIAS DE SEGURIDAD ##"
echo "## RSYNC ##"
echo "## Por ZX80 ##"
echo "## ##"
echo " ####################################"
echo
echo "Pulse enter para empezar a copiar."
read -n 0 -ers
echo
echo
echo
sleep 3s
rsync -Pavh 0Fotos /home/zx80/Backup/
rsync -Pavh 0web /home/zx80/Backup/
rsync -Pavh Basura /home/zx80/Backup/
rsync -Pavh Calaveras /home/zx80/Backup/
rsync -Pavh Descargas /home/zx80/Backup/
rsync -Pavh ElectrumFair-3.0.5 /home/zx80/Backup/
rsync -Pavh Mierda /home/zx80/Backup/
rsync -Pavh sys /home/zx80/Backup/
rsync -Pavh Tmp /home/zx80/Backup/
rsync -Pavh .aMule --exclude 'Incoming' --exclude 'Temp' /home/zx80/Backup/
rsync -Pavh .config /home/zx80/Backup/
rsync -Pavh .fonts /home/zx80/Backup/
rsync -Pavh .gconf /home/zx80/Backup/
rsync -Pavh .gnome2 /home/zx80/Backup/
rsync -Pavh .gnupg /home/zx80/Backup/
rsync -Pavh .gqview /home/zx80/Backup/
rsync -Pavh .hplip /home/zx80/Backup/
rsync -Pavh .liferea_1.8 /home/zx80/Backup/
rsync -Pavh .mozilla /home/zx80/Backup/
rsync -Pavh .xmame /home/zx80/Backup/
sleep 4s
echo .
echo .
echo .
echo .
echo "Copia realizada correctamente."
echo "Pulsa Enter para tarear y copiar a Store."
read -n 0 -ers
tar -zcvf Backup.tgz Backup
# cp Backup.tar /mnt/store/
echo .
echo .
echo "Purgando directorio e iniciando copia...."
rm -rf Backup
mkdir Backup
echo " Listo !!!!"

30
Bitrate-calc.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
#mb * 8388.608 / seg - audio -15
#800 * 8388.608 / 6760 -40 -15
clear
echo "CALCULAR LOS SEGUNDOS"
echo
echo
read -p "Introduce las horas del video: " hor
read -p "Introduce los minutos del video: " min
read -p "Introduce los segundos del video: " seg
HORA=$(( $hor*3600 ))
MIN=$(( $min*60 ))
CONV=$(( $HORA + $MIN + $seg ))
echo
echo "Segundos del video: " $CONV
echo
echo "CALCULAR EL BITRATE"
read -p "Introduce los Megas del video resultante: " MB
read -p "Introduce los Megas del audio (para 1h son 40): " AUD
SUMAUDIO=$(( $AUD+15 ))
MEGAS=$(( $MB*8389/($CONV)-$SUMAUDIO ))
echo
echo "El bitrate para el video es:" $MEGAS

24
Conversor_mkv.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# Conversor de archivos AVI a MKV
# Por Moribundo Insurgente
clear
echo CONVERSOR DE AVI A MKV
echo
echo
# Cambiar espacios por guion bajo
for FILE in *.avi ; do NEW=`echo $FILE | sed 's/ /_/g'`; mv "$FILE" $NEW; done
# Convertir mediante HandBrakeCLI
for file in *.avi; do HandBrakeCLI --preset-import-file Handbrake_h264.json -i $file -o "$file.mkv"; done; rm *.avi
# Eliminar la extensión duplicada .avi.mkv
echo
echo
echo Eliminando extension duplicada...
for FILE in *.avi.mkv ; do NEWFILE=`echo "$FILE" | sed 's/.avi.mkv$/.mkv/'` ; mv "$FILE" $NEWFILE ; done

22
Conversor_ogg.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
# Conversor-renombrador de archivos MP3 a OGG
# Por Moribundo Insurgente
clear
echo CONVERSOR DE MP3 A OGG
echo
echo
# Convertir de mp3 a ogg
for file in *.mp3; do mpg321 "$file" -w raw && oggenc raw -q 4 -o "$file.ogg"; done; rm *.mp3; rm raw
# Cambiar espacios por guion bajo
for FILE in *.ogg ; do NUEVOFICHERO=`echo $FILE | sed 's/ /_/g'`; mv "$FILE" $NUEVOFICHERO; done
# Eliminar la extensión duplicada .mp3.ogg
echo
echo
echo Eliminando extension duplicada...
for FILE in *.mp3.ogg ; do NEWFILE=`echo "$FILE" | sed 's/.mp3.ogg$/.ogg/'` ; mv "$FILE" $NEWFILE ; done

52
Ejemplo 01 - Menu.sh Normal file
View File

@ -0,0 +1,52 @@
#!/bin/bash
# Script de ejemplo
# Menu para elegir tareas de sistema
x=0
y=4
while [ $x -le $y ];
do
clear
echo "1. Numero de procesos"
echo "2. Espacio en disco"
echo "3. Usuarios activos"
echo "4. Carga del sistema"
echo "5. Salir"
read x
case $x in
1)
clear
ps xa | wc -l
echo "Pulsa una tecla para seguir..."
read
;;
2)
clear
df -h
echo "Pulsa una tecla para seguir..."
read
;;
3)
clear
w
echo "Pulsa una tecla para seguir..."
read
;;
4)
clear
uptime
echo "Pulsa una tecla para seguir..."
read
;;
*)
clear
;;
esac
done

109
Handbrake_h264.json Normal file
View File

@ -0,0 +1,109 @@
{
"PresetList": [
{
"AlignAVStart": false,
"AudioCopyMask": [
"copy:aac"
],
"AudioEncoderFallback": "av_aac",
"AudioLanguageList": [],
"AudioList": [
{
"AudioBitrate": 128,
"AudioCompressionLevel": -1.0,
"AudioDitherMethod": "auto",
"AudioEncoder": "av_aac",
"AudioMixdown": "dpl2",
"AudioNormalizeMixLevel": false,
"AudioSamplerate": "auto",
"AudioTrackDRCSlider": 0.0,
"AudioTrackGainSlider": 0.0,
"AudioTrackQuality": 1.0,
"AudioTrackQualityEnable": false
}
],
"AudioSecondaryEncoderMode": true,
"AudioTrackSelectionBehavior": "first",
"ChapterMarkers": true,
"ChildrenArray": [],
"Default": true,
"FileFormat": "av_mkv",
"Folder": false,
"FolderOpen": false,
"InlineParameterSets": false,
"Mp4HttpOptimize": false,
"Mp4iPodCompatible": false,
"PictureAutoCrop": true,
"PictureBottomCrop": 0,
"PictureCombDetectCustom": "",
"PictureCombDetectPreset": "default",
"PictureDARWidth": 0,
"PictureDeblock": 0,
"PictureDeblockCustom": "qp=0:mode=2",
"PictureDeinterlaceCustom": "",
"PictureDeinterlaceFilter": "decomb",
"PictureDeinterlacePreset": "default",
"PictureDenoiseCustom": "",
"PictureDenoiseFilter": "off",
"PictureDenoisePreset": "",
"PictureDenoiseTune": "none",
"PictureDetelecine": "off",
"PictureDetelecineCustom": "",
"PictureForceHeight": 0,
"PictureForceWidth": 0,
"PictureHeight": 1080,
"PictureItuPAR": false,
"PictureKeepRatio": true,
"PictureLeftCrop": 0,
"PictureLooseCrop": false,
"PictureModulus": 2,
"PicturePAR": "auto",
"PicturePARHeight": 1,
"PicturePARWidth": 1,
"PictureRightCrop": 0,
"PictureRotate": "disable=1",
"PictureSharpenCustom": "",
"PictureSharpenFilter": "off",
"PictureSharpenPreset": "",
"PictureSharpenTune": "",
"PictureTopCrop": 0,
"PictureWidth": 1920,
"PresetDescription": "H.264 video (up to 1080p30) and AAC stereo audio, in an MKV container.",
"PresetName": "Moribundo",
"SubtitleAddCC": false,
"SubtitleAddForeignAudioSearch": true,
"SubtitleAddForeignAudioSubtitle": false,
"SubtitleBurnBDSub": true,
"SubtitleBurnBehavior": "foreign",
"SubtitleBurnDVDSub": true,
"SubtitleLanguageList": [],
"SubtitleTrackSelectionBehavior": "none",
"Type": 1,
"UsesPictureFilters": true,
"UsesPictureSettings": 1,
"VideoAvgBitrate": 6000,
"VideoColorMatrixCode": 0,
"VideoEncoder": "x264",
"VideoFramerate": "30",
"VideoFramerateMode": "pfr",
"VideoGrayScale": false,
"VideoLevel": "auto",
"VideoOptionExtra": "",
"VideoPreset": "medium",
"VideoProfile": "auto",
"VideoQSVAsyncDepth": 4,
"VideoQSVDecode": false,
"VideoQualitySlider": 23.0,
"VideoQualityType": 2,
"VideoScaler": "swscale",
"VideoTune": "",
"VideoTurboTwoPass": true,
"VideoTwoPass": true,
"x264Option": "",
"x264UseAdvancedOptions": false
}
],
"VersionMajor": 32,
"VersionMicro": 0,
"VersionMinor": 0
}

26
IPlocation.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/sh
clear
echo " ###################################"
echo "## ##"
echo "## MUESTRA TU IP Y SU INFO ##"
echo "## ##"
echo "## Por ZX80 ##"
echo "## ##"
echo " ####################################"
echo
sleep 1s
echo
# curl -s --connect-timeout 2 ifconfig.co
IP=$(curl -s --connect-timeout 2 icanhazip.com)
echo Tu IP es: $IP
echo
echo Mostrando info:
echo
sleep 1s
curl ipinfo.io/$IP
echo
echo
echo " Listo !!!!"
echo
echo

69
Luks.sh Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
x=0
y=3
while [ $x -le $y ];
do
clear
echo "ELIJE QUE HACEMOS HOY"
echo "1- Crear volumen."
echo "2- Montar volumen."
echo "3- Desmontar volumen."
echo "4- Salir"
read x
case $x in
1)
clear
echo -n "Nombre del volumen a crear: "; read VOL
echo -n "Dale espacio en MB: "; read MB
echo -n "Especifica un nombre para /dev/mapper: "; read MAP
echo -n "Nombre del volumen montado: "; read NOM
echo
echo "CREANDO VOLUMEN"
dd if=/dev/zero bs=1M count=$MB of=$VOL
echo
echo "Formateando volumen..."
cryptsetup -c aes-xts-plain -s 512 luksFormat $VOL
echo
echo "Abriendo volumen..."
cryptsetup luksOpen $VOL $MAP
echo "Formateando volumen..."
mkfs.ext4 /dev/mapper/$MAP -L $NOM -m 2
cryptsetup luksClose $MAP
echo "Pulsa una tecla para continuar...."
read
;;
2)
clear
echo "MONTAR VOLUMEN"
echo -n "Nombre del volumen: "; read VOL
echo -n "Nombre del mapper: "; read MAP
echo
cryptsetup luksOpen $VOL $MAP
echo "Pulsa una tecla para continuar...."
read
;;
3)
clear
echo "DESMONTAR VOLUMEN"
echo -n "Nombre del mapper: "; read MAP
cryptsetup luksClose $MAP
echo "Pulsa una tecla para continuar...."
read
;;
*)
clear
echo "HASTA OTRA..."
echo
exit
;;
esac
done

24
cambio IP.sh Normal file
View File

@ -0,0 +1,24 @@
#!/bin/sh
# comtrend vr3025u
IFACE=ppp0.1
# vr3025un
#IFACE=ppp1
USER=admin
PASS=calandraca
IP=192.168.1.1
( sleep 3
echo $USER
sleep 1
echo $PASS
sleep 1
echo ppp config $IFACE down
sleep 5
echo ppp config $IFACE up
sleep 5
echo exit ) | telnet $IP

42
cifrado.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# Script de cifrado/descifrado con GnuPG
x=0
y=2
while [ $x -le $y ];
do
clear
echo "1- Cifrar"
echo "2- Descifrar"
echo "3- Salir"
read x
case $x in
1)
clear
echo -n "Nombre del archivo a cifrar: "; read CIF
echo "Cifrando ..."
sleep 2
gpg -er "Moribundo Insurgente" $CIF
;;
2)
clear
echo -n "Nombre del archivo a descifrar: "; read DESCIF
echo -n "Nombre del archivo una vez descifrado: "; read DESCIF2
echo "Descifrando ..."
sleep 2
gpg -o $DESCIF2 -d $DESCIF
;;
*)
clear
echo
echo
exit
;;
esac
done

37
date_sys_mod.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
# Cambio de hora del sistema
echo "ES NECESARIO SER ROOT"
x=0
y=2
while [ $x -le $y ];
do
clear
echo "1. Cambiar fecha"
echo "2. Restaurar fecha"
echo "3. Salir"
read x
case $x in
1)
clear
echo -n "Introduce fecha en formato \"mes-dia-hora-minutos-año.segundos\":"; read FECHA
date $FECHA
;;
2)
clear
echo "Restaurando fecha..."
ntpdate -u 0.arch.pool.ntp.org
;;
*)
clear
;;
esac
done

4
freeram.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/sh
# Libera la caché RAM
sync ; echo 3 > /proc/sys/vm/drop_caches ; echo "RAM Liberada"
exit 0

70
jd.sh Normal file
View File

@ -0,0 +1,70 @@
#!/bin/bash
#JD Installer/Starter Version 0.2
#by Jiaz(JD-Team), jiaz@jdownloader.org
#You need at least:
#1.) bash (its a bash script ;) )
#2.) wget
#3.) Java Version >= 1.5 (OpenJDK works also in latest Version)
#How to use this?
#1.) chmod +x jd.sh
#2.) Place it anywhere you want
#3.) Running jd.sh for the first time will install and setup JD into JDDIR folder
#4.) Running jd.sh after the first time will start JDownloader directly
#Parameters
# update (will perform an update)
#JD Installation folder (adjust to your needs)
JDDIR=~/.jd
#default path to our install/update tool (DO NOT Change this)
JDINSTALLER=http://update0.jdownloader.org/jdupdate.jar
if [ -e $JDDIR ]
then
if [ "$1" = "update" ]
then
if [ -e $JDDIR/jdupdate.jar ]
then
cd $JDDIR
echo "Start JD-Updater"
java -Xmx512m -jar jdupdate.jar
exit
else
echo "Cannot start JD-Updater: Download/Start JD-Installer"
cd $JDDIR
wget $JDINSTALLER
java -Xmx512m -jar jdupdate.jar
exit
fi
fi
if [ -e $JDDIR/JDownloader.jar ]
then
echo "JD Installation found: Starting JD now"
cd $JDDIR
#java -Xmx512m -jar JDownloader.jar --add-links $1 $2 $3 $4 $5 $6 $7 $8 $9
java -Xmx512m -jar JDownloader.jar
exit
else
echo "JD Installation found: No valid JDownloader.jar exist!"
fi
if [ -e $JDDIR/jdupdate.jar ]
then
cd $JDDIR
echo "Start JD-Updater"
java -Xmx512m -jar jdupdate.jar
else
echo "Cannot start JD-Updater: Download/Start JD-Installer"
cd $JDDIR
wget $JDINSTALLER
java -Xmx512m -jar jdupdate.jar
exit
fi
else
echo "Download/Start JD-Installer"
mkdir $JDDIR
cd $JDDIR
wget $JDINSTALLER
java -Xmx512m -jar jdupdate.jar
exit
fi

10
make-iso.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# Hacer iso de la carpeta que queramos
clear
read -p "Introduce la carpeta a copiar:" RUTA
mkisofs -r -v -J -o Imagen.iso $RUTA
sleep 2
echo
echo
echo
echo "Hecho..."

68
mi-iptables-mejor.sh Normal file
View File

@ -0,0 +1,68 @@
*filter
#listar
#iptables -L
#ver
#iptables -S
#flushear
#iptables -F
#iptables-restore /etc/network/iptables
# queremos que eso sea permanente
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
# Se dropea todo por defecto
#-P INPUT DROP
#-P FORWARD DROP
#-P OUTPUT DROP
# Se permiten conexiones entrantes nuevas SSH y se permiten de salida las establecidas
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Se permiten conexiones entrantes HTTP y se permiten de salida las establecidas y las nuevas
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Se permiten conexiones salientes nuevas SSH y se permiten de entrada las establecidas
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Se permiten conexiones entrantes HTTPS y se permiten de salida las establecidas
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Se permite acceso al PROXY HTTP
-A OUTPUT -o eth0 -p tcp --dport 8080 -j ACCEPT
# Se permiten conexiones para MYSQL
-A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
# Se permiten conexiones para resolución de nombres tcp y udp
-A INPUT -i eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
#Activando ip-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#proteccion SYN_FLOODING
iptables -N SYNFLOOD
iptables -A INPUT -i eth0 -p tcp --syn -j SYNFLOOD
iptables -A SYNFLOOD -m limit --limit 1/s --limit-burst 10 -j RETURN
iptables -A SYNFLOOD -j DROP

88
mi-iptables.sh Normal file
View File

@ -0,0 +1,88 @@
#! /bin/sh
#insertar módulos
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#reglas
iptables -F
#logs
#iptables -A INPUT -p tcp --dport 1:1024 -j LOG --log-prefix "INTENTOS: "
#iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "PINGS: "
#proteccion contra el protocolo ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
#aceptando conexiones de privoxy
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8118 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1 --dport 8118 -j ACCEPT
#proteccion contra el protocolo UDP
iptables -A INPUT -p udp -s 0.0.0.0 -j DROP
#seteando la politica de INPUT en DROP
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#permitiendo el paso a nuestra direccion ip
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
#permitir todo el trafico interno
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#aceptando las respuestas de los servidores
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#cerrando rango de puertos privilegiados
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 22:1024 -j DROP
#cerrando puertos aleatorios
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p udp --dport 3306 -j DROP
iptables -A INPUT -p tcp --dport 6000 -j DROP
iptables -A INPUT -p udp --dport 6000 -j DROP
iptables -A INPUT -p tcp --dport 10000 -j DROP
iptables -A INPUT -p udp --dport 10000 -j DROP
iptables -A INPUT -p tcp --dport 8118 -j DROP
iptables -A INPUT -p udp --dport 8118 -j DROP
iptables -A INPUT -p tcp --dport 1702 -j DROP
iptables -A INPUT -p udp --dport 1702 -j DROP
iptables -A INPUT -p tcp --dport 1757 -j DROP
iptables -A INPUT -p udp --dport 1757 -j DROP
iptables -A INPUT -p tcp --dport 1277 -j DROP
iptables -A INPUT -p udp --dport 1277 -j DROP
iptables -A INPUT -p tcp --dport 1419 -j DROP
iptables -A INPUT -p udp --dport 1419 -j DROP
iptables -A INPUT -p tcp --dport 1363 -j DROP
iptables -A INPUT -p udp --dport 1363 -j DROP
iptables -A INPUT -p tcp --dport 1219 -j DROP
iptables -A INPUT -p udp --dport 1219 -j DROP
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p udp --dport 3306 -j DROP
iptables -A INPUT -p tcp --dport 1675 -j DROP
iptables -A INPUT -p udp --dport 1675 -j DROP
#cerrando conexiones al Xwindows
iptables -A INPUT -p tcp --dport 6001:6065 -j DROP
iptables -A INPUT -p udp --dport 6001:6065 -j DROP
#Abriendo ftp
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
#Activando ip-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#proteccion SYN_FLOODING
iptables -N SYNFLOOD
iptables -A INPUT -i eth0 -p tcp --syn -j SYNFLOOD
iptables -A SYNFLOOD -m limit --limit 1/s --limit-burst 10 -j RETURN
iptables -A SYNFLOOD -j DROP

4
movie-tumbnailer.txt Normal file
View File

@ -0,0 +1,4 @@
http://www.cli-apps.org/content/show.php/Movie+Thumbnailer?content=74676
Ahora ya puedes lanzarlo desde el mismo directorio donde tienes el video. Por ejemplo, imaginemos que el video se llama mi_pelicula.avi, hay que sacar 12 pantallazos y que al final redimensione la imagen compuesta a un 50% de su tamaño original:
shot.sh -n 12 -r 50% mi_pelicula.avi

6
paquetes-instalados.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
# Listar los paquetes instalados mediante pacman
pacman -Qei | awk '/^Nombre/ { name=$3 } /^Grupos/ { if ( $3 != "base" && $3 != "base-devel" ) { print name } }' > LISTADEPAQUETES

64
sepultura.sh Normal file
View File

@ -0,0 +1,64 @@
#!/bin/bash
x=0
y=3
while [ $x -le $y ];
do
clear
echo "ELIJE QUE SEPULTURA HACES HOY"
echo "1- Cavar una tumba."
echo "2- Abrir una tumba."
echo "3- Cerrar una tumba."
echo "4- Salir"
read x
case $x in
1)
clear
echo -n "Dale un nombre a la tumba: "; read NOM
echo -n "Dale espacio en MB: "; read MB
echo -n "Nombre de la llave: "; read KEY
echo "CAVANDO TUMBA"
tomb dig -s $MB $NOM
echo
echo "Creando llave..."
tomb forge $KEY.key
echo
echo "Bloqueando tumba..."
tomb lock $NOM -k $KEY.key
echo "Pulsa una tecla para continuar...."
read
;;
2)
clear
echo "ABRIR TUMBA"
echo -n "Nombre de la tumba: "; read NOM
echo -n "Nombre de la llave: "; read KEY
echo
tomb open $NOM -k $KEY.key
echo "Pulsa una tecla para continuar...."
read
;;
3)
clear
echo "CERRAR TUMBA"
echo -n "Dale un nombre a la tumba: "; read NOM
tomb close $NOM
echo "Pulsa una tecla para continuar...."
read
;;
*)
clear
echo "AMEN..."
echo
exit
;;
esac
done

112
shot.sh Normal file
View File

@ -0,0 +1,112 @@
#!/bin/bash
# =====================================================
# This script takes screenshots of a movie
# Depends on mplayer and imagemagick
#
# Made by Starlite
# http://starl1te.wordpress.com/
# Feel free to share and modify, but
# Please, let me know if you made improvements.
# Пожалуйста, дайте мне знать, если вы улучшили этот скрипт.
# =====================================================
usage="Type shot -h for help"
_help(){
echo -e "\nusage: shot [options] [file]\n
Options:
-t <time> - set time (in minutes) between screenshots; the number of screenshots is calculated automatically.
-n <number> - set a fixed number of screenshots to take.
-r <percent> - change the size of the output image. Less than 40% is recommended.
-h - display this help message\n
Only one option at a time is possible.
If you don't like taken screenshots, try to run the script once more
This script depends on Mplayer and ImageMagic.\n
Usage example:
shot -n 25 -r 35% ~/films/film.avi\n"
}
shot(){
# Making screenshots...
for i in `seq 1 $shots_number`;
do
randomiser=$RANDOM; let "randomiser %= 25"
hop=`echo $[$shot_time*60*$i+$randomiser]`
mplayer -ss $hop -noautosub -frames 1 -ao null -vo png "$file_path" > /dev/null 2>&1
mv 00000001.png /tmp/shots/$i.png
echo -ne "Taking screenshot #${i} \r"
done
echo "Taking screenshots... [OK]"
}
# ====== first step is here! ;-) ========
# Checking options...
while getopts ":t:n:r:h" option
do
case $option in
t ) shot_time=$OPTARG; opt=_time;;
n ) shots_number=$OPTARG; opt=_num;;
h ) _help; opt=1; exit 1;;
r ) res=$OPTARG;;
: ) echo "No argument given"; opt=1; exit 1;;
* ) echo "Unknown option"; echo $usage; opt=1; exit 1;;
esac
done
if [ "$res" == "" ]; then res=40%; fi
if [ "$opt" == "" ]; then echo "No option given!"; echo $usage; exit 1; fi
shift $(($OPTIND - 1))
if [ "$1" == "" ]; then echo "No file given!"; echo $usage; exit 1; fi
mkdir /tmp/shots
# Parsing files...
while [ "$1" != "" ]
do
file_path=$1
file_name_ext=${file_path##*/}
file_name=`echo "$file_name_ext" | sed '$s/....$//'`
randomiser=0
movdir=`dirname "$file_path"`
if [ "$movdir" == "." ]; then
movdir=`pwd`
file_path=$movdir/$file_path
fi
cd "$movdir"
echo "Processing file $file_name..."
# Getting movie length...
length=`mplayer -identify "$file_path" -frames 1 -ao null -vo null 2>/dev/null \
| grep LENGTH | sed -e 's/^.*=//' -e 's/[.].*//'`
if [ "$length" == "" ]; then echo "Error! Can't get the length of the movie."; exit 1; fi
if [ "$opt" == "_time" ]; then
shots_number=`echo $[$length/60/$shot_time]`
shot
elif [ "$opt" == "_num" ]; then
shot_time=`echo $[$length/$shots_number/60]`
shot
fi
# Placing all taken screenshots in one picture...
echo -n "Putting screenshots together..."
cd /tmp/shots/
montage -geometry +2+2 -compress jpeg `ls *.png | sort -n` "$file_name".jpg
mogrify -resize $res "$file_name".jpg
echo " [OK]"
echo -n "Getting video info..."
size=`stat -c%s "$file_path"`
size=`echo $[$size/1024/1024]`
format=`mplayer -frames 1 -ao null -vo null -identify 2>/dev/null "$file_path" | grep VIDEO: | cut -d " " -f 5`
length=`echo $[$length/60]`
# It's a tricky code here, it adds some info about the movie to the output image.
echo -e "File name: $file_name_ext\nSize: $size Mb\nResolution: $format\nDuration: $length min." | convert -pointsize 16 -trim +repage text:- text.jpg
convert "$file_name".jpg -splice 0x70 -draw 'image over 5,5 0,0 text.jpg' "$movdir/$file_name".jpg
echo " [OK]"; echo
cd "$movdir"
shift
done
rm -r /tmp/shots
echo "Done"

873
spectre-meltdown-checker.sh Normal file
View File

@ -0,0 +1,873 @@
#! /bin/sh
# Spectre & Meltdown checker
#
# Check for the latest version at:
# https://github.com/speed47/spectre-meltdown-checker
# git clone https://github.com/speed47/spectre-meltdown-checker.git
# or wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
#
# Stephane Lesimple
#
VERSION=0.25
# Script configuration
show_usage()
{
cat <<EOF
Usage:
Live mode: $0 [options] [--live]
Offline mode: $0 [options] [--kernel <vmlinux_file>] [--config <kernel_config>] [--map <kernel_map_file>]
Modes:
Two modes are available.
First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
To run under this mode, just start the script without any option (you can also use --live explicitely)
Second mode is the "offline" mode, where you can inspect a non-running kernel.
You'll need to specify the location of the vmlinux file, and if possible, the corresponding config and System.map files:
--kernel vmlinux_file Specify a (possibly compressed) vmlinux file
--config kernel_config Specify a kernel config file
--map kernel_map_file Specify a kernel System.map file
Options:
--no-color Don't use color codes
-v, --verbose Increase verbosity level
--batch text Produce machine readable output, this is the default if --batch is specified alone
--batch json Produce JSON output formatted for Puppet, Ansible, Chef...
--batch nrpe Produce machine readable output formatted for NRPE
--variant [1,2,3] Specify which variant you'd like to check, by default all variants are checked
Can be specified multiple times (e.g. --variant 2 --variant 3)
IMPORTANT:
A false sense of security is worse than no security at all.
Please use the --disclaimer option to understand exactly what this script does.
EOF
}
show_disclaimer()
{
cat <<EOF
Disclaimer:
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee
that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might
falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these
vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable.
Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device
in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected
to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer
explicitely stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
EOF
}
# parse options
opt_kernel=''
opt_config=''
opt_map=''
opt_live_explicit=0
opt_live=1
opt_no_color=0
opt_batch=0
opt_batch_format="text"
opt_verbose=1
opt_variant1=0
opt_variant2=0
opt_variant3=0
opt_allvariants=1
nrpe_critical=0
nrpe_unknown=0
nrpe_vuln=""
__echo()
{
opt="$1"
shift
msg="$@"
if [ "$opt_no_color" = 1 ] ; then
# strip ANSI color codes
msg=$(/bin/echo -e "$msg" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
fi
# explicitely call /bin/echo to avoid shell builtins that might not take options
/bin/echo $opt -e "$msg"
}
_echo()
{
if [ $opt_verbose -ge $1 ]; then
shift
__echo '' "$@"
fi
}
_echo_nol()
{
if [ $opt_verbose -ge $1 ]; then
shift
__echo -n "$@"
fi
}
_warn()
{
_echo 0 "\033[31m${@}\033[0m"
}
_info()
{
_echo 1 "$@"
}
_info_nol()
{
_echo_nol 1 "$@"
}
_verbose()
{
_echo 2 "$@"
}
_debug()
{
_echo 3 "(debug) $@"
}
is_cpu_vulnerable()
{
# param: 1, 2 or 3 (variant)
# returns 1 if vulnerable, 0 if not vulnerable, 255 on error
# by default, everything is vulnerable, we work in a "whitelist" logic here.
# usage: is_cpu_vulnerable 2 && do something if vulnerable
variant1=0
variant2=0
variant3=0
if grep -q AMD /proc/cpuinfo; then
variant1=0
variant2=1
variant3=1
elif grep -qi 'CPU implementer\s*:\s*0x41' /proc/cpuinfo; then
# ARM
# reference: https://developer.arm.com/support/security-update
cpupart=$(awk '/CPU part/ {print $4;exit}' /proc/cpuinfo)
cpuarch=$(awk '/CPU architecture/ {print $3;exit}' /proc/cpuinfo)
if [ -n "$cpupart" -a -n "$cpuarch" ]; then
# Cortex-R7 and Cortex-R8 are real-time and only used in medical devices or such
# I can't find their CPU part number, but it's probably not that useful anyway
# model R7 R8 A9 A15 A17 A57 A72 A73 A75
# part ? ? 0xc09 0xc0f 0xc0e 0xd07 0xd08 0xd09 0xd0a
# arch 7? 7? 7 7 7 8 8 8 8
if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -Eq '^0x(c09|c0f|c0e)$'; then
# armv7 vulnerable chips
variant1=0
variant2=0
elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -Eq '^0x(d07|d08|d09|d0a)$'; then
# armv8 vulnerable chips
variant1=0
variant2=0
else
variant1=1
variant2=1
fi
# for variant3, only A75 is vulnerable
if [ "$cpuarch" = 8 -a "$cpupart" = 0xd0a ]; then
variant3=0
else
variant3=1
fi
fi
fi
[ "$1" = 1 ] && return $variant1
[ "$1" = 2 ] && return $variant2
[ "$1" = 3 ] && return $variant3
return 255
}
show_header()
{
_info "\033[1;34mSpectre and Meltdown mitigation detection tool v$VERSION\033[0m"
_info
}
parse_opt_file()
{
# parse_opt_file option_name option_value
option_name="$1"
option_value="$2"
if [ -z "$option_value" ]; then
show_header
show_usage
echo "$0: error: --$option_name expects one parameter (a file)" >&2
exit 1
elif [ ! -e "$option_value" ]; then
show_header
echo "$0: error: couldn't find file $option_value" >&2
exit 1
elif [ ! -f "$option_value" ]; then
show_header
echo "$0: error: $option_value is not a file" >&2
exit 1
elif [ ! -r "$option_value" ]; then
show_header
echo "$0: error: couldn't read $option_value (are you root?)" >&2
exit 1
fi
echo "$option_value"
exit 0
}
while [ -n "$1" ]; do
if [ "$1" = "--kernel" ]; then
opt_kernel=$(parse_opt_file kernel "$2")
[ $? -ne 0 ] && exit $?
shift 2
opt_live=0
elif [ "$1" = "--config" ]; then
opt_config=$(parse_opt_file config "$2")
[ $? -ne 0 ] && exit $?
shift 2
opt_live=0
elif [ "$1" = "--map" ]; then
opt_map=$(parse_opt_file map "$2")
[ $? -ne 0 ] && exit $?
shift 2
opt_live=0
elif [ "$1" = "--live" ]; then
opt_live_explicit=1
shift
elif [ "$1" = "--no-color" ]; then
opt_no_color=1
shift
elif [ "$1" = "--batch" ]; then
opt_batch=1
opt_verbose=0
shift
case "$1" in
text|nrpe|json) opt_batch_format="$1"; shift;;
--*) ;; # allow subsequent flags
'') ;; # allow nothing at all
*)
echo "$0: error: unknown batch format '$1'"
echo "$0: error: --batch expects a format from: text, nrpe, json"
exit 1 >&2
;;
esac
elif [ "$1" = "-v" -o "$1" = "--verbose" ]; then
opt_verbose=$(expr $opt_verbose + 1)
shift
elif [ "$1" = "--variant" ]; then
if [ -z "$2" ]; then
echo "$0: error: option --variant expects a parameter (1, 2 or 3)" >&2
exit 1
fi
case "$2" in
1) opt_variant1=1; opt_allvariants=0;;
2) opt_variant2=1; opt_allvariants=0;;
3) opt_variant3=1; opt_allvariants=0;;
*)
echo "$0: error: invalid parameter '$2' for --variant, expected either 1, 2 or 3" >&2;
exit 1;;
esac
shift 2
elif [ "$1" = "-h" -o "$1" = "--help" ]; then
show_header
show_usage
exit 0
elif [ "$1" = "--disclaimer" ]; then
show_header
show_disclaimer
exit 0
else
show_header
show_usage
echo "$0: error: unknown option '$1'"
exit 1
fi
done
show_header
# print status function
pstatus()
{
if [ "$opt_no_color" = 1 ]; then
_info_nol "$2"
else
case "$1" in
red) col="\033[101m\033[30m";;
green) col="\033[102m\033[30m";;
yellow) col="\033[103m\033[30m";;
blue) col="\033[104m\033[30m";;
*) col="";;
esac
_info_nol "$col $2 \033[0m"
fi
[ -n "$3" ] && _info_nol " ($3)"
_info
}
# Print the final status of a vulnerability (incl. batch mode)
# Arguments are: CVE UNK/OK/VULN description
pvulnstatus()
{
if [ "$opt_batch" = 1 ]; then
case "$opt_batch_format" in
text) _echo 0 "$1: $2 ($3)";;
nrpe)
case "$2" in
UKN) nrpe_unknown="1";;
VULN) nrpe_critical="1"; nrpe_vuln="$nrpe_vuln $1";;
esac
;;
json)
case "$1" in
CVE-2017-5753) aka="SPECTRE VARIANT 1";;
CVE-2017-5715) aka="SPECTRE VARIANT 2";;
CVE-2017-5754) aka="MELTDOWN";;
esac
case "$2" in
UKN) is_vuln="unknown";;
VULN) is_vuln="true";;
OK) is_vuln="false";;
esac
json_output="${json_output:-[}{\"NAME\":\""$aka"\",\"CVE\":\""$1"\",\"VULNERABLE\":$is_vuln,\"INFOS\":\""$3"\"},"
;;
esac
fi
_info_nol "> \033[46m\033[30mSTATUS:\033[0m "
vulnstatus="$2"
shift 2
case "$vulnstatus" in
UNK) pstatus yellow UNKNOWN "$@";;
VULN) pstatus red 'VULNERABLE' "$@";;
OK) pstatus green 'NOT VULNERABLE' "$@";;
esac
}
# The 3 below functions are taken from the extract-linux script, available here:
# https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux
# The functions have been modified for better integration to this script
# The original header of the file has been retained below
# ----------------------------------------------------------------------
# extract-vmlinux - Extract uncompressed vmlinux from a kernel image
#
# Inspired from extract-ikconfig
# (c) 2009,2010 Dick Streefland <dick@streefland.net>
#
# (c) 2011 Corentin Chary <corentin.chary@gmail.com>
#
# Licensed under the GNU General Public License, version 2 (GPLv2).
# ----------------------------------------------------------------------
vmlinux=''
vmlinux_err=''
check_vmlinux()
{
readelf -h "$1" > /dev/null 2>&1 || return 1
return 0
}
try_decompress()
{
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here
for pos in `tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2"`
do
_debug "try_decompress: magic for $3 found at offset $pos"
if ! which "$3" >/dev/null 2>&1; then
vmlinux_err="missing '$3' tool, please install it, usually it's in the '$5' package"
return 0
fi
pos=${pos%%:*}
tail -c+$pos "$6" 2>/dev/null | $3 $4 > $vmlinuxtmp 2>/dev/null
if check_vmlinux "$vmlinuxtmp"; then
vmlinux="$vmlinuxtmp"
_debug "try_decompress: decompressed with $3 successfully!"
return 0
else
_debug "try_decompress: decompression with $3 did not work"
fi
done
return 1
}
extract_vmlinux()
{
[ -n "$1" ] || return 1
# Prepare temp files:
vmlinuxtmp="$(mktemp /tmp/vmlinux-XXXXXX)"
trap "rm -f $vmlinuxtmp" EXIT
# Initial attempt for uncompressed images or objects:
if check_vmlinux "$1"; then
cat "$1" > "$vmlinuxtmp"
vmlinux=$vmlinuxtmp
return 0
fi
# That didn't work, so retry after decompression.
try_decompress '\037\213\010' xy gunzip '' gunzip "$1" && return 0
try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" && return 0
try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" && return 0
try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" && return 0
try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" && return 0
try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" && return 0
return 1
}
# end of extract-vmlinux functions
# check for mode selection inconsistency
if [ "$opt_live_explicit" = 1 ]; then
if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
show_usage
echo "$0: error: incompatible modes specified, use either --live or --kernel/--config/--map"
exit 1
fi
fi
# root check (only for live mode, for offline mode, we already checked if we could read the files)
if [ "$opt_live" = 1 ]; then
if [ "$(id -u)" -ne 0 ]; then
_warn "Note that you should launch this script with root privileges to get accurate information."
_warn "We'll proceed but you might see permission denied errors."
_warn "To run it as root, you can try the following command: sudo $0"
_warn
fi
_info "Checking for vulnerabilities against live running kernel \033[35m"$(uname -s) $(uname -r) $(uname -v) $(uname -m)"\033[0m"
# try to find the image of the current running kernel
# first, look for the BOOT_IMAGE hint in the kernel cmdline
if [ -r /proc/cmdline ] && grep -q 'BOOT_IMAGE=' /proc/cmdline; then
opt_kernel=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
_debug "found opt_kernel=$opt_kernel in /proc/cmdline"
# if we have a dedicated /boot partition, our bootloader might have just called it /
# so try to prepend /boot and see if we find anything
[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
_debug "opt_kernel is now $opt_kernel"
# else, the full path is already there (most probably /boot/something)
fi
# if we didn't find a kernel, default to guessing
if [ ! -e "$opt_kernel" ]; then
[ -e /boot/vmlinuz-linux ] && opt_kernel=/boot/vmlinuz-linux
[ -e /boot/vmlinuz-linux-libre ] && opt_kernel=/boot/vmlinuz-linux-libre
[ -e /boot/vmlinuz-$(uname -r) ] && opt_kernel=/boot/vmlinuz-$(uname -r)
[ -e /boot/kernel-$( uname -r) ] && opt_kernel=/boot/kernel-$( uname -r)
[ -e /boot/bzImage-$(uname -r) ] && opt_kernel=/boot/bzImage-$(uname -r)
[ -e /boot/kernel-genkernel-$(uname -m)-$(uname -r) ] && opt_kernel=/boot/kernel-genkernel-$(uname -m)-$(uname -r)
fi
# system.map
if [ -e /proc/kallsyms ] ; then
opt_map="/proc/kallsyms"
elif [ -e /boot/System.map-$(uname -r) ] ; then
opt_map=/boot/System.map-$(uname -r)
fi
# config
if [ -e /proc/config.gz ] ; then
dumped_config="$(mktemp /tmp/config-XXXXXX)"
gunzip -c /proc/config.gz > $dumped_config
# dumped_config will be deleted at the end of the script
opt_config=$dumped_config
elif [ -e /boot/config-$(uname -r) ]; then
opt_config=/boot/config-$(uname -r)
fi
else
_info "Checking for vulnerabilities against specified kernel"
fi
if [ -n "$opt_kernel" ]; then
_verbose "Will use vmlinux image \033[35m$opt_kernel\033[0m"
else
_verbose "Will use no vmlinux image (accuracy might be reduced)"
fi
if [ -n "$dumped_config" ]; then
_verbose "Will use kconfig \033[35m/proc/config.gz\033[0m"
elif [ -n "$opt_config" ]; then
_verbose "Will use kconfig \033[35m$opt_config\033[0m"
else
_verbose "Will use no kconfig (accuracy might be reduced)"
fi
if [ -n "$opt_map" ]; then
_verbose "Will use System.map file \033[35m$opt_map\033[0m"
else
_verbose "Will use no System.map file (accuracy might be reduced)"
fi
if [ -e "$opt_kernel" ]; then
if ! which readelf >/dev/null 2>&1; then
vmlinux_err="missing 'readelf' tool, please install it, usually it's in the 'binutils' package"
else
extract_vmlinux "$opt_kernel"
fi
else
vmlinux_err="couldn't find your kernel image in /boot, if you used netboot, this is normal"
fi
if [ -z "$vmlinux" -o ! -r "$vmlinux" ]; then
[ -z "$vmlinux_err" ] && vmlinux_err="couldn't extract your kernel from $opt_kernel"
fi
_info
# end of header stuff
# now we define some util functions and the check_*() funcs, as
# the user can choose to execute only some of those
mount_debugfs()
{
if [ ! -e /sys/kernel/debug/sched_features ]; then
# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
fi
}
umount_debugfs()
{
if [ "$mounted_debugfs" = 1 ]; then
# umount debugfs if we did mount it ourselves
umount /sys/kernel/debug
fi
}
###################
# SPECTRE VARIANT 1
check_variant1()
{
_info "\033[1;34mCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'\033[0m"
_info_nol "* Checking count of LFENCE opcodes in kernel: "
status=0
if [ -n "$vmlinux_err" ]; then
pstatus yellow UNKNOWN "$vmlinux_err"
else
if ! which objdump >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'objdump' tool, please install it, usually it's in the binutils package"
else
# here we disassemble the kernel and count the number of occurences of the LFENCE opcode
# in non-patched kernels, this has been empirically determined as being around 40-50
# in patched kernels, this is more around 70-80, sometimes way higher (100+)
# v0.13: 68 found in a 3.10.23-xxxx-std-ipv6-64 (with lots of modules compiled-in directly), which doesn't have the LFENCE patches,
# so let's push the threshold to 70.
# TODO LKML patch is starting to dump LFENCE in favor of the PAUSE opcode, we might need to check that (patch not stabilized yet)
nb_lfence=$(objdump -D "$vmlinux" | grep -wc lfence)
if [ "$nb_lfence" -lt 70 ]; then
pstatus red NO "only $nb_lfence opcodes found, should be >= 70"
status=1
else
pstatus green YES "$nb_lfence opcodes found, which is >= 70"
status=2
fi
fi
fi
if ! is_cpu_vulnerable 1; then
pvulnstatus CVE-2017-5753 OK "your CPU vendor reported your CPU model as not vulnerable"
else
case "$status" in
0) pvulnstatus CVE-2017-5753 UNK "impossible to check ${vmlinux}";;
1) pvulnstatus CVE-2017-5753 VULN 'heuristic to be improved when official patches become available';;
2) pvulnstatus CVE-2017-5753 OK 'heuristic to be improved when official patches become available';;
esac
fi
}
###################
# SPECTRE VARIANT 2
check_variant2()
{
_info "\033[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'\033[0m"
_info "* Mitigation 1"
_info_nol "* Hardware (CPU microcode) support for mitigation: "
if [ ! -e /dev/cpu/0/msr ]; then
# try to load the module ourselves (and remember it so we can rmmod it afterwards)
modprobe msr 2>/dev/null && insmod_msr=1
fi
if [ ! -e /dev/cpu/0/msr ]; then
pstatus yellow UNKNOWN "couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?"
else
# the new MSR 'SPEC_CTRL' is at offset 0x48
# here we use dd, it's the same as using 'rdmsr 0x48' but without needing the rdmsr tool
# if we get a read error, the MSR is not there
dd if=/dev/cpu/0/msr of=/dev/null bs=8 count=1 skip=9 2>/dev/null
if [ $? -eq 0 ]; then
pstatus green YES
else
pstatus red NO
fi
fi
if [ "$insmod_msr" = 1 ]; then
# if we used modprobe ourselves, rmmod the module
rmmod msr 2>/dev/null
fi
_info_nol "* Kernel support for IBRS: "
if [ "$opt_live" = 1 ]; then
mount_debugfs
for ibrs_file in \
/sys/kernel/debug/ibrs_enabled \
/sys/kernel/debug/x86/ibrs_enabled \
/proc/sys/kernel/ibrs_enabled; do
if [ -e "$ibrs_file" ]; then
# if the file is there, we have IBRS compiled-in
# /sys/kernel/debug/ibrs_enabled: vanilla
# /sys/kernel/debug/x86/ibrs_enabled: RedHat (see https://access.redhat.com/articles/3311301)
# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
pstatus green YES
ibrs_supported=1
ibrs_enabled=$(cat "$ibrs_file" 2>/dev/null)
break
fi
done
fi
if [ "$ibrs_supported" != 1 -a -n "$opt_map" ]; then
if grep -q spec_ctrl "$opt_map"; then
pstatus green YES
ibrs_supported=1
fi
fi
if [ "$ibrs_supported" != 1 ]; then
pstatus red NO
fi
_info_nol "* IBRS enabled for Kernel space: "
if [ "$opt_live" = 1 ]; then
# 0 means disabled
# 1 is enabled only for kernel space
# 2 is enabled for kernel and user space
case "$ibrs_enabled" in
"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
0) pstatus red NO;;
1 | 2) pstatus green YES;;
*) pstatus yellow UNKNOWN;;
esac
else
pstatus blue N/A "not testable in offline mode"
fi
_info_nol "* IBRS enabled for User space: "
if [ "$opt_live" = 1 ]; then
case "$ibrs_enabled" in
"") [ "$ibrs_supported" = 1 ] && pstatus yellow UNKNOWN || pstatus red NO;;
0 | 1) pstatus red NO;;
2) pstatus green YES;;
*) pstatus yellow UNKNOWN;;
esac
else
pstatus blue N/A "not testable in offline mode"
fi
_info "* Mitigation 2"
_info_nol "* Kernel compiled with retpoline option: "
# We check the RETPOLINE kernel options
if [ -r "$opt_config" ]; then
if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
pstatus green YES
retpoline=1
else
pstatus red NO
fi
else
pstatus yellow UNKNOWN "couldn't read your kernel configuration"
fi
_info_nol "* Kernel compiled with a retpoline-aware compiler: "
# Now check if the compiler used to compile the kernel knows how to insert retpolines in generated asm
# For gcc, this is -mindirect-branch=thunk-extern (detected by the kernel makefiles)
# See gcc commit https://github.com/hjl-tools/gcc/commit/23b517d4a67c02d3ef80b6109218f2aadad7bd79
# In latest retpoline LKML patches, the noretpoline_setup symbol exists only if CONFIG_RETPOLINE is set
# *AND* if the compiler is retpoline-compliant, so look for that symbol
if [ -n "$opt_map" ]; then
# look for the symbol
if grep -qw noretpoline_setup "$opt_map"; then
retpoline_compiler=1
pstatus green YES "noretpoline_setup symbol found in System.map"
else
pstatus red NO
fi
elif [ -n "$vmlinux" ]; then
# look for the symbol
if which nm >/dev/null 2>&1; then
# the proper way: use nm and look for the symbol
if nm "$vmlinux" 2>/dev/null | grep -qw 'noretpoline_setup'; then
retpoline_compiler=1
pstatus green YES "noretpoline_setup found in vmlinux symbols"
else
pstatus red NO
fi
elif grep -q noretpoline_setup "$vmlinux"; then
# if we don't have nm, nevermind, the symbol name is long enough to not have
# any false positive using good old grep directly on the binary
retpoline_compiler=1
pstatus green YES "noretpoline_setup found in vmlinux"
else
pstatus red NO
fi
else
pstatus yellow UNKNOWN "couldn't find your kernel image or System.map"
fi
if ! is_cpu_vulnerable 2; then
pvulnstatus CVE-2017-5715 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$retpoline" = 1 -a "$retpoline_compiler" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "retpoline mitigate the vulnerability"
elif [ "$opt_live" = 1 ]; then
if [ "$ibrs_enabled" = 1 -o "$ibrs_enabled" = 2 ]; then
pvulnstatus CVE-2017-5715 OK "IBRS mitigates the vulnerability"
else
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi
else
if [ "$ibrs_supported" = 1 ]; then
pvulnstatus CVE-2017-5715 OK "offline mode: IBRS will mitigate the vulnerability if enabled at runtime"
else
pvulnstatus CVE-2017-5715 VULN "IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability"
fi
fi
}
########################
# MELTDOWN aka VARIANT 3
check_variant3()
{
_info "\033[1;34mCVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'\033[0m"
_info_nol "* Kernel supports Page Table Isolation (PTI): "
kpti_support=0
kpti_can_tell=0
if [ -n "$opt_config" ]; then
kpti_can_tell=1
if grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "$opt_config"; then
kpti_support=1
fi
fi
if [ "$kpti_support" = 0 -a -n "$opt_map" ]; then
# it's not an elif: some backports don't have the PTI config but still include the patch
# so we try to find an exported symbol that is part of the PTI patch in System.map
kpti_can_tell=1
if grep -qw kpti_force_enabled "$opt_map"; then
kpti_support=1
fi
fi
if [ "$kpti_support" = 0 -a -n "$vmlinux" ]; then
# same as above but in case we don't have System.map and only vmlinux, look for the
# nopti option that is part of the patch (kernel command line option)
kpti_can_tell=1
if ! which strings >/dev/null 2>&1; then
pstatus yellow UNKNOWN "missing 'strings' tool, please install it, usually it's in the binutils package"
else
if strings "$vmlinux" | grep -qw nopti; then
kpti_support=1
fi
fi
fi
if [ "$kpti_support" = 1 ]; then
pstatus green YES
elif [ "$kpti_can_tell" = 1 ]; then
pstatus red NO
else
pstatus yellow UNKNOWN "couldn't read your kernel configuration nor System.map file"
fi
mount_debugfs
_info_nol "* PTI enabled and active: "
if [ "$opt_live" = 1 ]; then
if grep ^flags /proc/cpuinfo | grep -qw pti; then
# vanilla PTI patch sets the 'pti' flag in cpuinfo
kpti_enabled=1
elif grep ^flags /proc/cpuinfo | grep -qw kaiser; then
# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
kpti_enabled=1
elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
# RedHat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
elif dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled'; then
# if we can't find the flag, grep dmesg output
kpti_enabled=1
elif [ -r /var/log/dmesg ] && grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' /var/log/dmesg; then
# if we can't find the flag in dmesg output, grep in /var/log/dmesg when readable
kpti_enabled=1
else
kpti_enabled=0
fi
if [ "$kpti_enabled" = 1 ]; then
pstatus green YES
else
pstatus red NO
fi
else
pstatus blue N/A "can't verify if PTI is enabled in offline mode"
fi
if ! is_cpu_vulnerable 3; then
pvulnstatus CVE-2017-5754 OK "your CPU vendor reported your CPU model as not vulnerable"
elif [ "$opt_live" = 1 ]; then
if [ "$kpti_enabled" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "PTI mitigates the vulnerability"
else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
fi
else
if [ "$kpti_support" = 1 ]; then
pvulnstatus CVE-2017-5754 OK "offline mode: PTI will mitigate the vulnerability if enabled at runtime"
else
pvulnstatus CVE-2017-5754 VULN "PTI is needed to mitigate the vulnerability"
fi
fi
}
# now run the checks the user asked for
if [ "$opt_variant1" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant1
_info
fi
if [ "$opt_variant2" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant2
_info
fi
if [ "$opt_variant3" = 1 -o "$opt_allvariants" = 1 ]; then
check_variant3
_info
fi
_info "A false sense of security is worse than no security at all, see --disclaimer"
# this'll umount only if we mounted debugfs ourselves
umount_debugfs
# cleanup the temp decompressed config
[ -n "$dumped_config" ] && rm -f "$dumped_config"
if [ "$opt_batch" = 1 -a "$opt_batch_format" = "nrpe" ]; then
if [ ! -z "$nrpe_vuln" ]; then
echo "Vulnerable:$nrpe_vuln"
else
echo "OK"
fi
[ "$nrpe_critical" = 1 ] && exit 2 # critical
[ "$nrpe_unknown" = 1 ] && exit 3 # unknown
exit 0 # ok
fi
if [ "$opt_batch" = 1 -a "$opt_batch_format" = "json" ]; then
_echo 0 ${json_output%?}]
fi

57
sys-bkp.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
clear
echo " ###################################"
echo "## ##"
echo "## SCRIPT COPIAS DE SISTEMA ##"
echo "## ##"
echo "## Por ZX80 ##"
echo "## ##"
echo " ####################################"
echo
echo "Pulse enter para empezar a copiar."
read -n 0 -ers
echo
echo
echo
sleep 2s
echo "Copiando .electrumfair"
sleep 2s
cp -Rpv ~/.electrumfair /home/zx80/sys/
echo
echo "Copiando .faircoin2"
sleep 2s
cp -Rpv ~/.faircoin2 /home/zx80/sys/
echo
echo "Copiando .fonts"
sleep 2s
cp -Rpv ~/.fonts /home/zx80/sys/
echo
echo "Copiando .gnuppg"
sleep 2s
cp -Rpv ~/.gnupg /home/zx80/sys/
echo
echo "Copiando .icons"
sleep 2s
cp -Rpv ~/.icons /home/zx80/sys/
echo
echo "Copiando Varios.kdbx"
sleep 2s
cp -Rpv ~/Varios.kdbx /home/zx80/sys/
cp -Rpv ~/Varios.kdbx /home/zx80/nextCloud/
echo
sleep 3s
echo .
echo .
echo .
echo .
echo "Copia realizada correctamente."
echo
echo
exit

30
wipemem.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Uso de las secure-tools para limpiar la memoria
# Limpia swap, ram y directorio /var
# smem
# sswap
# srm -r /var
clear
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
echo " VIGILA TU PRIVACIDAD. MUERTE A LOS DATOS"
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
echo
echo "Pulsa enter para empezar"
read -n 0 -ers
echo
echo
echo
echo "Eliminando swap..."
sswap
sleep 2s
echo "Eliminando RAM..."
smem
sleep 2s
echo "Eliminando /var..."
srm -r /var
sleep 2s
#echo "Apagando..."
#shutdown -h now