Skip to content

Instantly share code, notes, and snippets.

@rawiriblundell
rawiriblundell / check_user_lastseen
Created September 13, 2020 00:13
checkmk local check for local account auditing
#!/bin/bash
# check_user_lastseen - report on users who have not logged in for a while
# Purpose:
# This script tries to find idle accounts and any orphaned homedirs
# Currently is Linux biased but capacity for portability is there
# Author: Rawiri Blundell
# Copyright: See provided LICENCE file
###############################################################################
# Source the config mapping library
# Provides variables "${thisHost}", "${thisJob}" and
@jaredhaight
jaredhaight / windows_hardening.cmd
Last active April 28, 2024 16:59 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS.
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@automine
automine / inputs.conf
Last active September 7, 2023 11:18
Nice windows event blacklisting
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
@automine
automine / props.conf
Last active January 12, 2023 15:02
Windows Event Clean Up in Splunk
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
@jbratu
jbratu / setupiisforsslperfectforwardsecrecy_v17.ps1
Last active August 6, 2024 17:23
Great powershell script for tightening HTTPS security on IIS and disabling insecure protocols and ciphers. Very useful on core installations.
# Copyright 2019, Alexander Hass
# https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# After running this script the computer only supports:
# - TLS 1.2
#
# Version 3.0.1, see CHANGELOG.txt for changes.
Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
Write-Host '--------------------------------------------------------------------------------'
@oxo42
oxo42 / migrate-to-sso.sh
Created June 30, 2016 10:40
Migrate Splunk users from LDAP to SSO
#!/bin/bash
splunk_home=/opt/splunk/etc
my_users=$splunk_home/apps/my_domain/lookups/my_users.csv
users=$splunk_home/users
authfile=$splunk_home/new-auths.txt
# Clear the auth file
: > $authfile
@taylor224
taylor224 / wifi.py
Last active July 11, 2024 20:17
Python WiFi Example
# -*- coding: utf-8 -*-
import wifi
def Search():
wifilist = []
cells = wifi.Cell.all('wlan0')