Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

CIS, Phantom, Tenable.sc

Brad Poulton 4 years ago
parent
97126a82b8
commit
1e0b470757
3 changed files with 42 additions and 7 deletions
Split View Show Diff Stats
  1. 18 2
      CIS Benchmarks Audit.md
  2. 16 5
      Phantom Upgrade Notes.md
  3. 8 0
      Tenable Security Center Notes.md

+ 18 - 2
CIS Benchmarks Audit.md
View File 

@@ -42,7 +42,7 @@ Does the CIS Hardening
 
  Both AWS and Vmware are using the masterless salt. 
 
 Commands run in PROD Sensu/Vault are guiena pigs
 
-First Group pushed to PROD
 
+First Group of changes pushed to first group of PROD servers
 
 salt sensu* state.sls os_modifications.auditd --output-diff
 
 salt sensu* state.sls os_modifications.timezone --output-diff
 
 salt sensu* state.sls os_modifications.sshd_config --output-diff
 
@@ -52,6 +52,9 @@ salt sensu* state.sls os_modifications.audit_backlog_limit --output-diff
 
 salt sensu* state.sls os_modifications.fstab --output-diff
 
 salt sensu* state.sls os_modifications.sysctl --output-diff
 
 salt sensu* state.sls os_modifications.rsyslog --output-diff
 
+salt *com cmd.run 'systemctl start auditd'
 
+
 
+Second Group of changes 
 
 Second Group is 
 salt vault*
 
@@ -62,6 +65,12 @@ salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or nihor* or bp-ot-d
 
 Fourth Group is all internal, no customers.
 
 salt -C 'customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0*'
 
 
+Fifth Group is all servers besides LCPs
 
+salt *com 
+
 
+Sixth Group is LCPs
 
+salt -G 'msoc_pop:True'
 
+
 
 
 
 
@@ -136,12 +145,19 @@ salt vault-1* state.sls os_modifications.tty_history saltenv=feature/bp_MSOCI-16
 
 #fix timeout
 
 salt vault-1* state.sls os_modifications.timeout saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
 
 
-#fix umask
 
+#fix umask (this doesn't totaly fix the finding!)
 
 salt vault-1* state.sls os_modifications.umask saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
 
 
 #Fix unowned files and dirs
 
 salt vault-1* cmd.run 'rm -rf /home/shahid_mahmood'
 
+salt vault-1* cmd.run 'rm -rf /home/donald_wong'
 
+salt vault-1* cmd.run 'rm -rf /home/randy_coffman'
 
 salt vault-1* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
 
+salt vault-1* cmd.run 'rm -rf /var/spool/mail/randy_coffman'
 
+salt vault-1* cmd.run 'rm -rf /var/spool/mail/donald_wong'
 
+salt vault-1* cmd.run "ls -larth /home | grep 'randy_coffman\|shahid_mahmood\|donald_wong'"
 
+
 
+------PART 3-----
 
 
 ```

+ 16 - 5
Phantom Upgrade Notes.md
View File 

@@ -26,6 +26,7 @@ Stop Phantom
 
 
 Take an AWS snapshot OF ALL DRIVES in addition to the automatic snapshots! Phantom uses the /tmp directory in addition to the /opt directory. Be sure to include the EBS volume that is storing the /opt data. It is 500 GB volume ( prod ) or a 60 GB volume ( TEST ).
 
 Naming Scheme: phantom-pre-upgrade-backup-<current-version>
 
+phantom-pre-upgrade-backup-4.10.4
 
 
 Take a full phantom backup while phantom is running. NOTE: to restore a phantom backup you must restore it to the same version of Phantom on a different server! You CAN skip the ibackup if you have a good snapshot!
 
 `/opt/phantom/bin/start_phantom.sh`
 
@@ -61,6 +62,11 @@ New version:
 
 Reason for upgrading: 
 ```
 
 
+Post to xdr-soc
 
+```
 
+Phantom is shutting down for an update in 5 minutes!
 
+```
 
+
 
 
 Stop Phantom 
 `/opt/phantom/bin/stop_phantom.sh`
 
@@ -88,8 +94,11 @@ use the rpm command to upgrade the repo package. ( RPM preferred )
 
 `rpm -Uvh https://repo.phantom.us/phantom/4.10/base/7Server/x86_64/phantom_repo-4.10.6.61906-1.x86_64.rpm`
 
 
 ## Upgrade
 
-This takes a LONG time! Use nohup to background the process to avoid SSH timeout issue. Ask Splunk Support for nohup command. ALTERNATE: Use TMUX to keep session alive. 
-`/opt/phantom/bin/phantom_setup.sh upgrade --without-apps --no-space-check`
 
+This takes a LONG time! Use nohup to background the process to avoid SSH timeout issue. Ask Splunk Support for nohup command. ALTERNATE: Use TMUX to keep session alive.
 
+```
 
+tmux 
+/opt/phantom/bin/phantom_setup.sh upgrade --without-apps --no-space-check
 
+```
 
 
 SUGGESTED: Open one vertical split window and one horizontal split window in xterm/tmux to watch the upgrade, watch the size of /tmp and watch the /var/log/phantom/phantom_install_log.
 
 `tail -f /var/log/phantom/phantom_install_log`
 
@@ -98,12 +107,14 @@ NOTE: You should ignore the "Complete!" messages. They are not indicating that t
 
 
 Upgrade apps after a successful upgrade. 
 
-## Verify that phantom is working properly
 
+## Verify that Phantom is working properly
 
 - create new playbook
 
-- run search ...
 
+- run playbook
 
+- run search?
 
 - verify connectivity to splunk
 
 - verify connectivity to github
 
-- 
+- Ensure you can edit an Event
 
+- ?
 
 
 # 4.10.6
 
 08/2021

+ 8 - 0
Tenable Security Center Notes.md
View File 

@@ -1,5 +1,10 @@
 
 # Tenable Security Center Notes.md
 
 
+## Setup
 
+See https://community.tenable.com/s/article/SSH-Public-Key-Authentication. The private key for svc-scan is not in Vault because if you lose/need it, just generate a new one and push it out. 
+
 
+
 
+
 
 ## Add Custom CAs
 
 
 See https://community.tenable.com/s/article/Upload-a-Custom-CA-certificate-custom-CA-inc-to-Tenable-sc-Formerly-SecurityCenter
 
@@ -75,6 +80,9 @@ l2ybCdf6Gr6nxQZuDy2Ipg6nn+PHgdExijsdsaWHwJ2ql4vDK6sgxFyzfHS6sHwL
 
 zNYfQ73J6FrTCJlcHCXKMGad07Jkd5y6N9za4MiZ7/Zw/NKNaRIdym6aEeNS7N9O
 
 ahHDgZnPWV/ZNudKV6pqKZbxyUIHYf4CRA4Z+JKqauY4LpyVWNdW64c=
 
 -----END CERTIFICATE-----
 
+```
 
+#Splunk common CA
 
+```
 
 -----BEGIN CERTIFICATE-----
 
 MIIDejCCAmICCQCNHBN8tj/FwzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
 
 UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM