Voici pourquoi linux est plus facile à débugger :

Galerie

Cette galerie contient 1 photo.

Mes preférés : lsof, strace, netstat, tcpdump, top.

Linux backdoor : systemd-daemon & gvfsd-helper

Je viens de lire l’article : https://www.bleepingcomputer.com/news/security/new-stealthy-linux-malware-used-to-backdoor-systems-for-years/

Command-and-control servers historically used by the malware have domains registered six years ago, in December 2015,  all of them

FileName MD5 Detection First Seen in VT
systemd-daemon 1d45cd2c1283f927940c099b8fab593b 0/61 2018-05-16 04:22:59
systemd-daemon 11ad1e9b74b144d564825d65d7fb37d6 0/58 2018-12-25 08:02:05
systemd-daemon 5c0f375e92f551e8f2321b141c15c48f 0/56 2020-05-08 05:50:06
gvfsd-helper 64f6cfe44ba08b0babdd3904233c4857 0/61 2021-01-18 13:13:19

J’ai donc rapidement fait :

# sudo find / -name 'systemd-daemon'
# sudo find / -name 'gvfsd-helper'

Aucun n’est présent …

Ubuntu : Compression et dimenssion des photos

Sous Mac OS j’avais fait plusieurs articles …Mais sous Ubuntu c’est plus simple, voici les commandes que j’utilise :

$ du -sh Images/
$ find Images/ -iname '*.jpg' -exec mogrify \{} -verbose -resize 1920x1080\> \{} \;
$ 

Je considère que la résolution max est 1920×1080 (on peut aussi prendre 2048×1536). Il est vivement conseillé d’avoir un backup avant de lancer les commandes. Et je vous conseille cette lecture  : https://fr.wikipedia.org/wiki/Impression_photo_num%C3%A9rique

A noter aussi que je déplace toutes les vidéos avant de lancer la commandes :

$ find Images/ -iname *.mp4  -exec mv "{}" ./Vidéos/. \;
$ find Images/ -iname *.mov  -exec mv "{}" ./Vidéos/. \;
$ find Images/ -iname *.avi  -exec mv "{}" ./Vidéos/. \;
$ find Images/ -iname *.mpg  -exec mv "{}" ./Vidéos/. \;
$ find Images/ -iname *.3gp  -exec mv "{}" ./Vidéos/. \;
$ find Images/ -iname *.3g2  -exec mv "{}" ./Vidéos/. \;

A noter aussi que je conseille vivement cette commande afin de voir si le répertoire contient que des images :

$ find Images/ -type f | sed -n 's/..*\.//p' | sort | uniq -c
     36 bmp
      5 db
     10 gif
      2 GIF
    466 jpeg
  61698 jpg
      1 Jpg
  47063 JPG
     47 png
    118 PNG

A noter aussi que pour classer mes vidéos, j’ai le même process que pour mes photos :

/Vidéos$ fdupes -rdN .
/Vidéos$ time exiftool -v -r "-filemodifydate<datetimeoriginal" "-filecreateddate<datetimeoriginal" *.* 
/Vidéos$ sortphotos -r . . --sort %Y/%m/%d
/Vidéos$  

Maintenant je vais utiliser Digikam pour me faire une base de donnée d’images identique (mais avec une compression différente) … et utiliser sqllite3 pour exploiter cette base.

$ sudo apt-get install sqlite3 libsqlite3-dev
$ sqlite3 similarity.db 
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> .table
ImageHaarMatrix     ImageSimilarity     SimilaritySettings
sqlite> .quit

A suivre

Issue : Only one processor or Unsupported PM cap regs version (7).

My current issue on Oracle Linux 7.3 (kernel 4.1.12-61.1.18): I have only one processor or issue « Unsupported PM cap regs version (7) ». Impossible to boot without issue « Unsupported PM cap regs version (7) » and 8 processors.

To see the number of processor : cat /proc/cpuinfo | grep « model name »

My processor is : Intel(R) Xeon(R) CPU E5-2623 v3 @ 3.00GHz

All my test done :

Tests Status Processor Note Grub parameter
1 OK 1 quiet splash noapic nolapic acpi=off
2 OK 1 quiet acpi=off
3 KO Freeze : Unsupported PM cap regs version (7) quiet
4 KO No boot quiet splash pci=noacpi
5 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=off nr_cpus=8
6 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=ht
7 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=noirq
8 KO Freeze : Unsupported PM cap regs version (7) quiet pnpacpi=off
9 KO Freeze : Unsupported PM cap regs version (7) quiet pcie_aspm=off
10 KO Freeze : Unsupported PM cap regs version (7) quiet pci=noacpi
11 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=ht nolapic  splash
12 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=ht pci=nocrs
13 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=ht acpi_osi=Linux
14 OK 1 quiet idle=poll acpi=off
15 OK 1 quiet idle=poll acpi=off processor.nocst=1
16 OK 1 quiet acpi=off processor.nocst=1
17 KO Freeze : Unsupported PM cap regs version (7) quiet acpi=ht  acpi.nopower_check=1 acpi_osi=Linux
18 OK 1 quiet acpi=off processor.nocst=1 maxcpus=8
19 OK 1 quiet intel_iommu=on acpi=off noapi
20 KO Freeze : Unsupported PM cap regs version (7) quiet noapic pci=assign-busses apicmaintimer idle=poll reboot=cold,hard
21 KO Freeze : Unsupported PM cap regs version (7) quiet pci=nomsi
22 KO Freeze : Unsupported PM cap regs version (7) quiet pci=noaer
23 KO Freeze : Unsupported PM cap regs version (7) quiet splash noapic nolapic acpi=ht pci=nocrs
24 KO Freeze : Unsupported PM cap regs version (7) quiet splash noapic nolapic acpi=noirq pci=nocrs
25 KO Freeze : Unsupported PM cap regs version (7) quiet splash nomodeset acpi_osi=Linux

Source code of kernel :

When I see the source code of pci.c :

/**
 * pci_pm_init - Initialize PM functions of given PCI device
 * @dev: PCI device to handle.
 */
void pci_pm_init(struct pci_dev *dev)
{
	int pm;
	u16 pmc;

	pm_runtime_forbid(&dev->dev);
	pm_runtime_set_active(&dev->dev);
	pm_runtime_enable(&dev->dev);
	device_enable_async_suspend(&dev->dev);
	dev->wakeup_prepared = false;

	dev->pm_cap = 0;
	dev->pme_support = 0;

	/* find PCI PM capability in list */
	pm = pci_find_capability(dev, PCI_CAP_ID_PM);
	if (!pm)
		return;
	/* Check device's ability to generate PME# */
	pci_read_config_word(dev, pm + PCI_PM_PMC, &pmc);

	if ((pmc & PCI_PM_CAP_VER_MASK) > 3) {
		pci_err(dev, "unsupported PM cap regs version (%u)\n",
			pmc & PCI_PM_CAP_VER_MASK);
		return;
	}

More information of Grup option :

acpi=           [HW,ACPI,X86,ARM64]
                        Advanced Configuration and Power Interface
                        Format: { force | on | off | strict | noirq | rsdt |
                                  copy_dsdt }
                        force -- enable ACPI if default was off
                        on -- enable ACPI but allow fallback to DT [arm64]
                        off -- disable ACPI if default was on
                        noirq -- do not use ACPI for IRQ routing
                        strict -- Be less tolerant of platforms that are not
                                strictly ACPI specification compliant.
                        rsdt -- prefer RSDT over (default) XSDT
                        copy_dsdt -- copy DSDT to memory
                        For ARM64, ONLY "acpi=off", "acpi=on" or "acpi=force"
                        are available

pnpacpi=        [ACPI]
                        { off }

nr_cpus=        [SMP] Maximum number of processors that an SMP kernel
                        could support.  nr_cpus=n : n >= 1 limits the kernel to
                        support 'n' processors. It could be larger than the
                        number of already plugged CPU during bootup, later in
                        runtime you can physically add extra cpu until it reaches
                        n. So during boot up some boot time memory for per-cpu
                        variables need be pre-allocated for later physical cpu
                        hot plugging.

pcie_aspm=      [PCIE] Forcibly enable or disable PCIe Active State Power
                        Management.
                off     Disable ASPM.
                force   Enable ASPM even on devices that claim not to support it.
                        WARNING: Forcing ASPM on may cause system lockups.

pci=option[,option...]  [PCI] various PCI subsystem options:
                earlydump       [X86] dump PCI config space before the kernel
                                changes anything
                off             [X86] don't probe for the PCI bus
                bios            [X86-32] force use of PCI BIOS, don't access
                                the hardware directly. Use this if your machine
                                has a non-standard PCI host bridge.
                nobios          [X86-32] disallow use of PCI BIOS, only direct
                                hardware access methods are allowed. Use this
                                if you experience crashes upon bootup and you
                                suspect they are caused by the BIOS.
                conf1           [X86] Force use of PCI Configuration Access
                                Mechanism 1 (config address in IO port 0xCF8,
                                data in IO port 0xCFC, both 32-bit).
                conf2           [X86] Force use of PCI Configuration Access
                                Mechanism 2 (IO port 0xCF8 is an 8-bit port for
                                the function, IO port 0xCFA, also 8-bit, sets
                                bus number. The config space is then accessed
                                through ports 0xC000-0xCFFF).
                                See http://wiki.osdev.org/PCI for more info
                                on the configuration access mechanisms.
                noaer           [PCIE] If the PCIEAER kernel config parameter is
                                enabled, this kernel boot option can be used to
                                disable the use of PCIE advanced error reporting.
                nodomains       [PCI] Disable support for multiple PCI
                                root domains (aka PCI segments, in ACPI-speak).
                nommconf        [X86] Disable use of MMCONFIG for PCI
                                Configuration
                check_enable_amd_mmconf [X86] check for and enable
                                properly configured MMIO access to PCI
                                config space on AMD family 10h CPU
                nomsi           [MSI] If the PCI_MSI kernel config parameter is
                                enabled, this kernel boot option can be used to
                                disable the use of MSI interrupts system-wide.
                noioapicquirk   [APIC] Disable all boot interrupt quirks.
                                Safety option to keep boot IRQs enabled. This
                                should never be necessary.
                ioapicreroute   [APIC] Enable rerouting of boot IRQs to the
                                primary IO-APIC for bridges that cannot disable
                                boot IRQs. This fixes a source of spurious IRQs
                                when the system masks IRQs.
                noioapicreroute [APIC] Disable workaround that uses the
                                boot IRQ equivalent of an IRQ that connects to
                                a chipset where boot IRQs cannot be disabled.
                                The opposite of ioapicreroute.
                biosirq         [X86-32] Use PCI BIOS calls to get the interrupt
                                routing table. These calls are known to be buggy
                                on several machines and they hang the machine
                                when used, but on other computers it's the only
                                way to get the interrupt routing table. Try
                                this option if the kernel is unable to allocate
                                IRQs or discover secondary PCI buses on your
                                motherboard.
                rom             [X86] Assign address space to expansion ROMs.
                                Use with caution as certain devices share
                                address decoders between ROMs and other
                                resources.
                norom           [X86] Do not assign address space to
                                expansion ROMs that do not already have
                                BIOS assigned address ranges.
                nobar           [X86] Do not assign address space to the
                                BARs that weren't assigned by the BIOS.
                irqmask=0xMMMM  [X86] Set a bit mask of IRQs allowed to be
                                assigned automatically to PCI devices. You can
                                make the kernel exclude IRQs of your ISA cards
                                this way.
                pirqaddr=0xAAAAA        [X86] Specify the physical address
                                of the PIRQ table (normally generated
                                by the BIOS) if it is outside the
                                F0000h-100000h range.
                lastbus=N       [X86] Scan all buses thru bus #N. Can be
                                useful if the kernel is unable to find your
                                secondary buses and you want to tell it
                                explicitly which ones they are.
                assign-busses   [X86] Always assign all PCI bus
                                numbers ourselves, overriding
                                whatever the firmware may have done.
                usepirqmask     [X86] Honor the possible IRQ mask stored
                                in the BIOS $PIR table. This is needed on
                                some systems with broken BIOSes, notably
                                some HP Pavilion N5400 and Omnibook XE3
                                notebooks. This will have no effect if ACPI
                                IRQ routing is enabled.
                noacpi          [X86] Do not use ACPI for IRQ routing
                                or for PCI scanning.
                use_crs         [X86] Use PCI host bridge window information
                                from ACPI.  On BIOSes from 2008 or later, this
                                is enabled by default.  If you need to use this,
                                please report a bug.
                nocrs           [X86] Ignore PCI host bridge windows from ACPI.
                                If you need to use this, please report a bug.
                routeirq        Do IRQ routing for all PCI devices.
                                This is normally done in pci_enable_device(),
                                so this option is a temporary workaround
                                for broken drivers that don't call it.
                skip_isa_align  [X86] do not align io start addr, so can
                                handle more pci cards
                noearly         [X86] Don't do any early type 1 scanning.
                                This might help on some broken boards which
                                machine check when some devices' config space
                                is read. But various workarounds are disabled
                                and some IOMMU drivers will not work.
                bfsort          Sort PCI devices into breadth-first order.
                                This sorting is done to get a device
                                order compatible with older (<= 2.4) kernels.
                nobfsort        Don't sort PCI devices into breadth-first order.
                pcie_bus_tune_off       Disable PCIe MPS (Max Payload Size)
                                tuning and use the BIOS-configured MPS defaults.
                pcie_bus_safe   Set every device's MPS to the largest value
                                supported by all devices below the root complex.
                pcie_bus_perf   Set device MPS to the largest allowable MPS
                                based on its parent bus. Also set MRRS (Max
                                Read Request Size) to the largest supported
                                value (no larger than the MPS that the device
                                or bus can support) for best performance.
                pcie_bus_peer2peer      Set every device's MPS to 128B, which
                                every device is guaranteed to support. This
                                configuration allows peer-to-peer DMA between
                                any pair of devices, possibly at the cost of
                                reduced performance.  This also guarantees
                                that hot-added devices will work.
                cbiosize=nn[KMG]        The fixed amount of bus space which is
                                reserved for the CardBus bridge's IO window.
                                The default value is 256 bytes.
                cbmemsize=nn[KMG]       The fixed amount of bus space which is
                                reserved for the CardBus bridge's memory
                                window. The default value is 64 megabytes.
                resource_alignment=
                                Format:
                                [<order of align>@][<domain>:]<bus>:<slot>.<func>[; ...]
                                [<order of align>@]pci:<vendor>:<device>\
                                                [:<subvendor>:<subdevice>][; ...]
                                Specifies alignment and device to reassign
                                aligned memory resources.
                                If <order of align> is not specified,
                                PAGE_SIZE is used as alignment.
                                PCI-PCI bridge can be specified, if resource
                                windows need to be expanded.
                                To specify the alignment for several
                                instances of a device, the PCI vendor,
                                device, subvendor, and subdevice may be
                                specified, e.g., 4096@pci:8086:9c22:103c:198f
                ecrc=           Enable/disable PCIe ECRC (transaction layer
                                end-to-end CRC checking).
                                bios: Use BIOS/firmware settings. This is the
                                the default.
                                off: Turn ECRC off
                                on: Turn ECRC on.
                hpiosize=nn[KMG]        The fixed amount of bus space which is
                                reserved for hotplug bridge's IO window.
                                Default size is 256 bytes.
                hpmemsize=nn[KMG]       The fixed amount of bus space which is
                                reserved for hotplug bridge's memory window.
                                Default size is 2 megabytes.
                hpbussize=nn    The minimum amount of additional bus numbers
                                reserved for buses below a hotplug bridge.
                                Default is 1.
                realloc=        Enable/disable reallocating PCI bridge resources
                                if allocations done by BIOS are too small to
                                accommodate resources required by all child
                                devices.
                                off: Turn realloc off
                                on: Turn realloc on
                realloc         same as realloc=on
                noari           do not use PCIe ARI.
                pcie_scan_all   Scan all possible PCIe devices.  Otherwise we
                                only look for one device below a PCIe downstream
                                port.

Log of issue :

Test 19 : Log exemple in /var/log/message :

Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet intel_iommu=on acpi=off noapi LANG=en_GB.UTF-8
...
#011RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=1.
...
RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
...
CPU: Physical Processor ID: 0
CPU: Processor Core ID: 0
...
smpboot: SMP motherboard not detected
smpboot: SMP disabled
...
x86: Booted up 1 node, 1 CPUs
smpboot: Total of 1 processors activated (5993.31 BogoMIPS)
NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.

Grep : grep « Kernel command line: » messages*

...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet noapic pci=assign-busses apicmaintimer idle=poll reboot=cold,hard LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-514.el7.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet noapic pci=assign-busses apicmaintimer idle=poll reboot=cold,hard LANG=en_GB.UTF-8
...

...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet noapic pci=assign-busses apicmaintimer idle=poll reboot=cold,hard LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet acpi=ht pci=nocrs LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet pci=nomsi LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet noapic pci=assign-busses apicmaintimer idle=poll reboot=cold,hard LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet splash noapic nolapic acpi=off LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet intel_iommu=on acpi=off noapi LANG=en_GB.UTF-8
...
Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet intel_iommu=on acpi=off noapi LANG=en_GB.UTF-8
...

More logs of issue on PCI :

Kernel command line: BOOT_IMAGE=/vmlinuz-4.1.12-61.1.18.el7uek.x86_64 root=/dev/mapper/ol-root ro crashkernel=auto rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet splash noapic nolapic acpi=off LANG=en_GB.UTF-8
...
kernel: PCI: Probing PCI hardware
kernel: PCI host bridge to bus 0000:00
kernel: pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
kernel: pci_bus 0000:00: root bus resource [mem 0x00000000-0x3fffffffffff]
kernel: pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
kernel: pci 0000:00:01.0: PCI bridge to [bus 01]
kernel: pci 0000:00:03.0: PCI bridge to [bus 04]
kernel: pci 0000:05:00.0: disabling ASPM on pre-1.1 PCIe device.  You can enable it with 'pcie_aspm=force'
kernel: pci 0000:00:03.2: PCI bridge to [bus 05-06]
kernel: pci 0000:06:04.0: unsupported PM cap regs version (7)
kernel: pci 0000:05:00.0: PCI bridge to [bus 06]
kernel: pci 0000:00:1c.0: PCI bridge to [bus 07]
kernel: pci 0000:00:1c.1: PCI bridge to [bus 08-0c]
kernel: pci 0000:08:00.0: PCI bridge to [bus 09-0c]
kernel: pci 0000:09:00.0: PCI bridge to [bus 0a-0b]
kernel: vgaarb: setting as boot device: PCI:0000:0b:00.0
kernel: vgaarb: device added: PCI:0000:0b:00.0,decodes=io+mem,owns=io+mem,locks=none
kernel: pci 0000:0a:00.0: PCI bridge to [bus 0b]
kernel: pci 0000:00:1c.2: PCI bridge to [bus 02]
kernel: pci 0000:00:1c.3: PCI bridge to [bus 03]
kernel: pci 0000:00:1f.0: default IRQ router [8086:8d44]