updates are fun!

CIS Benchmarks Audit.md

@@ -0,0 +1,702 @@
+CIS Benchmarks Process.md
+
+This CIS certified policy for Red Hat Enterprise Linux 7 is based on the CIS Benchmark for Red Hat Enterprise Linux 7, v2.2.0. The policy contains Level 1 and Level 2, Scored types of checks from the benchmark.
+
+There is no clear approval process in the configuration deviations ticketing system. Deviations from the CIS benchmarks not accounted for in deviation documents.
+
+https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/CIS-Exceptions
+
+
+To resolve the POAM we need a process for CIS benchmarks. Should we use the MSOCI jira queue to manage this?
+
+Use the compliance project (COMP) use the CIS Execption template ( https://jira.xdr.accenturefederalcyber.com/browse/COMP-29 )
+
+
+saltless master in packer
+packer/lcp/vmware/lcp-vmware.pkr.hcl
+
+packer/scripts/salt-virtualenv-minion.sh
+      "../../scripts/salt-virtualenv-minion.sh",
+
+# Does the CIS Hardening
+  provisioner "salt-masterless" {
+    skip_bootstrap     = true
+    salt_bin_dir       = "/mnt/bin"
+    local_state_tree   = "./salt"
+    remote_state_tree  = "/mnt/srv/salt"
+    temp_config_dir    = "/mnt/tmp/salt"
+    salt_call_args     = "-c /mnt/etc/salt"
+    no_exit_on_failure = true
+  }
+
+
+ - migrate packer salt states 
+
+
+ some checks are NOT IMPLEMENTED because they are set by default
+
+
+ Packer gets us 90% to CIS and salt fine tunes and gets us to 100% and it is ok that they are duplicated because salt is the final say.
+
+ Both AWS and Vmware are usign the masterless salt. 
+
+
+LCPs
+afs-splunk-ds-1
+afs-splunk-ds-2
+afs-splunk-ds-4
+afs-splunk-syslog-1
+afs-splunk-syslog-2
+afs-splunk-syslog-3
+afs-splunk-syslog-4
+afs-splunk-syslog-7
+afs-splunk-syslog-8
+bas-splunk-ds-1
+bas-splunk-syslog-1
+bas-splunk-syslog-2
+ca-c19-splunk-ds-1
+ca-c19-splunk-syslog-1
+ca-c19-splunk-syslog-2
+frtib-splunk-ds-1
+frtib-splunk-ds-3
+frtib-splunk-syslog-1
+frtib-splunk-syslog-2
+frtib-splunk-syslog-5
+frtib-splunk-syslog-6
+nga-splunk-ds-1
+nga-splunk-syslog-1
+nga-splunk-syslog-2
+nihors-splunk-ds-1
+nihors-splunk-syslog-1
+nihors-splunk-syslog-2
+
+
+########################
+#
+# EXCEPTIONS
+#
+#########################
+
+Control ID: 1073
+Statement: Status of the 'Maximum Password Age' setting (expiration) / Accounts having the 'password never expires' flag set
+Control Number:5.57
+Reference #: 5.4.1.1.a
+Framework: CIS Benchmark for Red Hat Enterprise Linux 7 3.1.1, § 5.5.1.1
+The following Integer value X indicates the current status of the PASS_MAX_DAYS setting as defined within the /etc/login.defs file.
+
+in range 1-365
+
+Salt State: packer/lcp/vmware/salt/cis-hardening-rhel-7/section-5.sls
+
+Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris 
+
+exception!
+
+######
+Control ID: 1072
+Statement: Status of the 'Minimum Password Age' setting
+Control Number: 5.59
+Reference #: 5.4.1.2.a
+The following Integer value X indicates the current PASS_MIN_DAYS setting within the /etc/login.defs file.
+
+greater than or equal to 7
+
+To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: 
+
+PASS_MIN_DAYS [DAYS]
+
+A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
+
+Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris 
+
+exception!
+
+######
+Control ID: 1417
+Statement: Existence of the 'cron.deny' file
+Control Number: 5.14
+Reference #: 5.1.8
+
+salt file created! needs to be deployed
+
+
+#####
+Control ID: 4437
+Statement: Current list of hosts defined within the 'hosts.allow' file
+Reference #: 3.4.2
+
+Exception!
+
+
+
+#####
+Control ID: 4438
+Statement: Status of the hosts defined within the hosts.deny file
+Reference #: 3.4.3
+
+Exception!
+
+#####
+Control ID: 4726
+Statement: Current 'UMASK' setting for the '/etc/bashrc or /etc/bash.bashrc' file
+Reference #: 5.4.5/5.4.6
+
+False positive. Qualys regex doesn't work with "022"
+umask configured here: packer/scripts/aws-hardening.sh
+
+CIS provided grep command: 
+```
+grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc
+
+```
+
+#####
+Control ID: 4997
+Statement: Current list of 'NTP servers' defined within '/etc/ntp.conf'
+Reference #: 2.2.1.2
+
+False Positive. ntp is not installed. Chrony is used.
+
+#####
+Control ID: 5215
+Statement:Status of the 'AllowGroups' setting in the 'sshd_config' file
+Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
+
+Exception!
+
+
+#####
+Control ID: 5217
+Statement:Status of the 'AllowUsers' setting in the 'sshd_config' file
+Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
+
+Exception!
+
+
+#####
+Control ID: 5222
+Statement:Status of the 'ClientAliveInterval' setting in the 'sshd_config' file
+Ref #: 5.2.12 (v2.2.0) (5.2.16 - v3.0.0)
+
+Exception! Handled by Teleport
+
+
+#####
+Control ID:5224
+Statement:Status of the 'DenyGroups' setting in the 'sshd_config' file
+Ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
+
+Exception! Handled by Teleport
+
+
+#####
+Control ID: 5225
+Statement:Status of the 'DenyUsers' setting in the 'sshd_config' file
+ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
+
+Exception! Handled by Teleport
+
+#####
+Control ID: 5283/17996
+Statement:Status of the 'MACs' setting in the '/etc/ssh/sshd_config' file
+ref #: 5.2.11 (v2.2.0) (5.2.14 v3.0.0)
+
+Adjusted sshd_config
+
+
+#####
+Control ID: 5963
+Statement: Status of the current setting for 'net.ipv4.ip_forward' network parameter
+ref #: 3.1.1  (v2.2.0)  (3.2.1 v3.0.0)
+
+10.40.20.42 - openvpn ( required for VPN )
+10.40.24.97 - ghe-backup (docker)
+10.40.32.16 - customer-portal (docker)
+10.40.32.56 - customer-portal (docker)
+
+Exception! Handled by Teleport
+
+####
+Control ID: 7339
+Statement: Status of the 'Permissions' settings for the '/etc/cron.d' directory
+ref #: 5.1.7 
+
+This needs to be set. Currently it is 755. Salt state needs to be created. 
+
+
+###
+Control ID: 7408
+Statement: Current list of world writable directories that do not have the sticky bit configurd
+ref #: 1.1.21  (v2.2.0)  (1.1.24 v3.0.0)
+
+
+/var/log/bash_history
+Modified here: salt/fileroots/os_modifications/tty_history.sls
+
+I don't think this is needed anymore thanks to teleport
+No files are stored in that directory
+
+
+
+###
+Control ID:7417
+Statement: Current list of user accounts with 'existing home directories' defined in /etc/passwd and not present on the
+ref#: 6.2.7 
+
+10.40.30.24 (phantom)
+git-user:/home/git-user
+phantom-worker:/home/phantom-worker
+10.40.28.74 (fm-shared-search)
+I added the dir. should clean it up. 
+george_starcher:/home/george_starcher
+/etc/passwd
+george_starcher:x:60005:60005:sft-managed:/home/george_starcher:/bin/bash
+
+
+Exception!
+
+
+###
+Control ID:7418
+Statement: Status of the current 'unowned' files and directories on the host
+ref #: 6.1.11
+
+
+/home/shahid_mahmood
+/home/shahid_mahmood/.bashrc
+/home/shahid_mahmood/.bash_logout
+/home/shahid_mahmood/.bash_profile
+/home/shahid_mahmood/.zshrc
+
+changed ownership to root:
+
+####
+Control ID: 7419
+statement: Status of the current 'ungrouped' files and directories on the host
+ref #: 6.1.12
+
+/home/shahid_mahmood
+/home/shahid_mahmood/.bashrc
+/home/shahid_mahmood/.bash_logout
+/home/shahid_mahmood/.bash_profile
+/home/shahid_mahmood/.zshrc
+
+changed ownership to root:
+
+####
+Control ID: 7451
+statement: Status of the 'restrict -6 default' setting in the '/etc/ntp.conf' file
+ref #: 2.2.1.2 (v2.2.0)  (2.2.1.3 v3.0.0)
+
+
+Exception!
+
+
+####
+Control ID: 7457
+Statement:Status of the 'OPTIONS' setting in the '/etc/sysconfig/ntpd' file
+ref #: 2.2.1.2 (v2.2.0)  (2.2.1.3 v3.0.0)
+
+Exception!
+
+
+####
+Control ID: 7458
+Statement: Status of the 'inet_interfaces' setting in the '/etc/postfix/main.cf' file
+ref #: 2.2.15 (v2.2.0)  (2.2.16 v3.0.0)
+
+10.40.0.96 / mailrelay
+
+Exception!
+
+
+####
+Control ID: 7949
+Statement:Status of the 'unconfined daemons' on the host
+ref #: 1.6.1.6  (v2.2.0)  (1.7.1.7 v3.0.0)
+
+The host should not have 'unconfined daemons' which are daemons that are not defined in SELinux policy and inherit permissions from parent processes.  Unconfined daemons are daemons without proper permissions and present security risks to the host and this check should be regularly performed and reviewed according to the needs of the business.  NOTE: This check should produce NO unconfined daemons on the list.
+
+unconfined daemons
+mongod
+splunkd
+
+Exception!
+
+
+####
+Control ID: 8327
+Statement:Status of the 'world-writable' files and directories on the host
+ref #: 6.1.10
+
+
+The following List String value(s) <b>X</b> indicate the status of local <b>world-writable</b> files and directories.
+
+======Expected Value(s)======
+
+File not found
+------------ OR ------------
+does not contain regular expression list
+.+
+
+======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
+root:root:drwxrwxrwt.:/dev/mqueue
+root:root:drwxrwxrwt.:/dev/shm
+root:root:drwxrwxrwt.:/opt/tmp
+root:root:drwxrwxrwt.:/tmp
+root:root:drwxrwxrwt.:/tmp/.font-unix
+root:root:drwxrwxrwt.:/tmp/.ICE-unix
+root:root:drwxrwxrwt.:/tmp/.Test-unix
+root:root:drwxrwxrwt.:/tmp/.X11-unix
+root:root:drwxrwxrwt.:/tmp/.XIM-unix
+root:root:drwxrwxrwt.:/tmp/systemd-private-5e8298ad14ed4e9381a2786970c55c78-chronyd.service-vs5GMY/tmp
+root:root:drwxrwxrwt.:/var/tmp
+root:root:drwxrwxrwt.:/var/tmp/cloud-init
+root:root:drwxrwxrwx.:/var/log/bash_history
+
+This needs to be figured out one by one. :-(
+
+#####
+Control ID: 9380
+Statement:Status of the Mail Transfer Agent for Local-Only Mode
+ref #: 2.2.15 (v2.2.0)  (2.2.16 v3.0.0)
+
+10.40.0.96 / mailrelay
+
+Exception!
+
+####
+Control ID: 9391
+Statement: Status of the System Accounts
+ref #: 5.4.2
+
+10.40.30.24 / phantom
+
+pgbouncer:x:993:989:PgBouncer Server:/home/pgbouncer:/bin/bash
+postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
+
+Exception!
+
+####
+Control ID: 9623
+Statement: Status of the 'try_first_pass' setting within the '/etc/pam.d/system-auth'
+ref #: 5.3.1
+
+This needs to be figured out. possible execption
+
+
+####
+Control ID: 9629
+Statement: Status of the 'retry' parameter for login attempts defined within '/etc/pam.d/system-auth'
+ref #: 5.3.1
+
+This needs to be figured out. possible execption
+
+####
+Control ID: 9881
+Statement: Status of the 'httpd' service using systemd
+ref #: 2.2.10 (v2.2.0)  (2.2.11 v3.0.0)
+
+10.40.2.41/reposerver needs httpd
+
+Exception!
+
+####
+Control ID: 10236
+Statement: Status of the ownership set for the home directory of Non system User
+ref #: 6.2.9 (v2.2.0)  (6.2.7 v3.0.0)
+
+fm-shared-search
+phantom-0
+
+This is a false positive. CIS benchamrk bash script does not show home directory ownership issues. 
+
+The following List string value(s) <b>X</b> indicate the <b>ownership</b> details for the <b>user account home directories</b> on the host.  Each line in the result consists of the account name, UID, home-directory path followed by the actual owner of the home directory.
+
+======Expected Value(s)======
+
+Non-system users not found
+------------ OR ------------
+matches regular expression list
+^(nfsnobody:.*)|(([^:]+):.*:\3)$
+
+======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
+brad_poulton:60010:/home/brad_poulton:brad_poulton
+brandon.naughton:50022:/home/brandon.naughton:brandon.naughton
+brandon_naughton:60012:/home/brandon_naughton:brandon_naughton
+centos:1001:/home/centos:centos
+charles.kuykendall:50021:/home/charles.kuykendall:charles.kuykendall
+charles_kuykendall:60014:/home/charles_kuykendall:charles_kuykendall
+colby_williams:60018:/home/colby_williams:colby_williams
+donald.wong:50023:/home/donald.wong:donald.wong
+donald_wong:150045:/home/donald_wong:donald_wong
+duane_waddle:60001:/home/duane_waddle:duane_waddle
+frederick_t_damstra:60017:/home/frederick_t_damstra:frederick_t_damstra
+george_starcher:60005:/home/george_starcher:Directory not found
+james_m_jarrett:150002:/home/james_m_jarrett:james_m_jarrett
+jeremy_cooper:150036:/home/jeremy_cooper:jeremy_cooper
+john_reuther:60003:/home/john_reuther:john_reuther
+j_kerr:50020:/home/j_kerr:j_kerr
+randy_coffman:60015:/home/randy_coffman:randy_coffman
+splunk:50009:/opt/splunk:splunk
+svc-qualys:50008:/home/svc-qualys:svc-qualys
+s_scott:150035:/home/s_scott:s_scott
+wesley_leonard:60009:/home/wesley_leonard:wesley_leonard
+
+####
+Control ID: 10480
+Statement: Status of the 'restrict -4 default' setting in the '/etc/ntp.conf' file
+ref #: 2.2.1.2 (v2.2.0)  (2.2.1.3 v3.0.0)
+
+Exception! COMP-39
+
+
+####
+Control ID: 10655
+Statement: Status of the 'vfat' Filesystems (modprobe)
+ref #: 1.1.1.8 (v2.2.0)  (1.1.1.4 v3.0.0)
+
+This needs to be figured out.
+
+The List string value of <b>X</b> indicates the status of the <b>file systems</b> using <b>modeprobe</b> utility  to check if the file system is mountable on the host.
+
+======Expected Value(s)======
+contains regular expression list
+vfat\s*:\s*install\s+/bin/true
+
+======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
+cramfs : install /bin/true 
+freevxfs : install /bin/true 
+hfs : install /bin/true 
+hfsplus : install /bin/true 
+jffs2 : install /bin/true 
+squashfs : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/squashfs/squashfs.ko.xz 
+udf : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/lib/crc-itu-t.ko.xz :install /bin/true 
+vfat : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/fat.ko.xz :insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/vfat.ko.xz
+
+
+##### 
+Control ID: 10664
+Statement: Status of the 'OPTIONS' setting within '/etc/sysconfig/chronyd' file
+ref #: 2.2.1.3 (v2.2.0)  (2.2.1.2 v3.0.0)
+
+This needs to be figured out.
+
+`# grep ^OPTIONS /etc/sysconfig/chronyd`
+
+OPTIONS="-u chrony"
+
+See packer/lcp/vmware/salt/cis-hardening-rhel-7/section-2.sls
+
+
+####
+Control ID: 10665
+Statement: Status of the default deny firewall policy
+ref #: 3.6.2
+
+This needs to be figured out. possible execption for security groups? Why have the FW without default deny?
+
+
+####
+Control ID: 10666
+Statement: Status of the '$FileCreateMode' setting within '/etc/rsyslog.conf' file
+ref #: 4.2.1.3 (v2.2.0)  (4.2.1.4 v3.0.0)
+
+
+This needs to be figured out.
+packer/lcp/vmware/salt/cis-hardening-rhel-7/section-4.sls
+packer/scripts/aws-hardening.sh
+
+
+####
+Control ID: 10667
+Statement: Status of the 'perm' option within '/etc/syslog-ng/syslog-ng.conf' file
+ref #: 4.2.2.3
+
+Exception for C2 servers. LCP servers have syslog-ng installed. 
+
+
+####
+Control ID: 10669
+Statement: Status of the 'password hashing algorithm' setting within '/etc/pam.d/system-auth' file
+ref #: 5.3.4 (v2.2.0)  (5.3.3 v3.0.0)
+
+This needs to be figured out. Yes it is in password-auth, but not in system-auth. 
+[gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+[gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
+[gc-prod]brad.poulton@salt-master:~:$
+
+
+####
+Control ID: 10671
+Statement: Status of the 'syslog-ng' service
+ref #: 4.2.2.1 (v2.2.0) ( not found in v3.0.0)
+
+Exception! COMP-46
+
+
+####
+Control ID: 10672
+Statement: Status of the installed 'syslog-ng' package on the host
+ref #: 4.2.3 (v2.2.0) ( not found in v3.0.0)
+
+Exception! COMP-46
+
+
+####
+Control ID: 10673
+Statement: Status of the 'permission' set for all logfiles in '/var/log' directory
+ref #: 4.2.4 (v2.2.0)  (4.2.3 v3.0.0)
+
+find /var/log -type f -perm /g+wx,o+rwx  -exec ls -l {} \;
+This needs to be figured out.
+
+
+####
+Control ID: 10675
+Statement: Status of the 'loopback traffic' setting
+ref #: 3.6.3 (v2.2.0)  (3.5.3.2.2 v3.0.0)
+
+This needs to be figured out. See CIS workbench.
+
+####
+Control ID: 10676
+Statement: Status of the 'iptables rules' for all 'open ports' on the host
+ref #: 3.6.5 (v2.2.0)  (3.5.3.2.4 v3.0.0)
+
+This needs to be figured out. possible execption for security groups? if we add a default deny we will need these.
+
+
+####
+Control ID: 10724
+Statement: Status of the 'user-db' parameter in '/etc/dconf/profile/gdm'
+ref #: 1.7.2 (v2.2.0)  (1.10 v3.0.0)
+
+Exception! no Gnome display manager
+
+
+####
+Control ID: 10725
+Statement: Status of the 'system-db' parameter in '/etc/dconf/profile/gdm'
+ref #: 1.7.2 (v2.2.0)  (1.10 v3.0.0)
+
+Exception! no Gnome display manager
+
+####
+Control ID: 10726
+Statement: Status of the 'file-db' parameter in /etc/dconf/profile/gdm
+ref #: 1.7.2 (v2.2.0)  (1.10 v3.0.0)
+
+Exception! no Gnome display manager
+
+####
+Control ID: 10732
+Statement: Status of the 'Maximum Password Age' setting (expiration) for 'users with a password' setting
+ref #: 5.4.1.1
+
+exception! teleport COMP-33
+
+####
+Control ID: 10733
+Statement: Status of the 'Minimum Password Age' for 'users with a password' setting
+ref #: 5.4.1.2
+
+exception! teleport COMP-33
+
+
+####
+Control ID: 10734
+Statement: Status of the 'number of days before a [Prompt user] password expiration warning prompt is displayed at logi
+ref #: 5.4.1.3
+
+exception! teleport COMP-33
+
+
+####
+Control ID: 10735
+Statement: Status of the 'Maximum number of days of inactivity allowed before a user account is locked out' for 'users
+ref #: 5.4.1.4 (v2.2.0)  (5.4.1.5 v3.0.0)
+
+exception! teleport COMP-33
+
+####
+Control ID: 10823
+Statement: Status of the home directory ownership and permissions for the system accounts defined within the /etc/passwd file / Ensure users' home directories permissions are 750 or more restrictive
+ref #: 6.2.8 (v2.2.0)  (6.2.6 v3.0.0)
+
+Possible exception for splunk user?
+
+[gc-prod]root@salt-master:~:# bash cis-deleteme.sh
+Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk
+Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk
+
+
+####
+Control ID: 10824
+Statement: Status of the home directory ownership and permissions for the user accounts (non-system users) defined within the /etc/passwd file
+ref #:6.2.8 (v2.2.0)  (6.2.6 v3.0.0)
+
+Possible exception for splunk user?
+
+[gc-prod]root@salt-master:~:# bash cis-deleteme.sh
+Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk
+Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk
+
+
+####
+Control ID: 10848
+Statement: Status of the 'ExecStart' setting in '/usr/lib/systemd/system/ntpd.service'
+ref #: 2.2.1.2 (v2.2.0)  (2.2.1.3 v3.0.0)
+
+False Positive. ntp is not installed. Chrony is used.
+
+
+
+####
+Control ID: 10859
+Statement: Status of the 'periodically scheduled (crontab)' aide check (/etc/cron.* and /etc/crontab)
+ref #: 1.3.2 (v2.2.0)  (1.4.2 v3.0.0)
+
+False Positive. Qualys is looking for the vanilla aide. 
+# SALT_CRON_IDENTIFIER:AIDE
+@daily /usr/local/bin/aide-run.sh > /dev/null 2>&1
+
+
+####
+Control ID: 12751
+Statement: Status of ownership set for the /boot/grub2/user.cfg
+ref #: 1.4.1 (v2.2.0)  (1.5.2 v3.0.0)
+
+false positive.
+[gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg
+stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory
+
+####
+Control ID: 12752
+Statement: Status of permission set for the /boot/grub2/user.cfg
+ref #: 1.4.1 (v2.2.0)  (1.5.2 v3.0.0)
+
+false positive.
+[gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg
+stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory
+
+####
+Control ID: 12785
+Statement: Status of the 'fs.suid_dumpable' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
+ref #: 1.4.1 
+
+False positive: recommend moving # CIS 1.5.1 to allow regex to work properly
+packer/scripts/aws-hardening.sh
+
+The following List String value(s) <b>x</b> indicates the current status of <b>fs.suid_dumpable</b> setting configured for sysctl on the host. This includes all the <b>.conf</b> files under <b>/etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/</b> directories. The return value consists of filename, setting name and value set for the setting.
+
+======Expected Value(s)======
+matches regular expression list
+^[^:]+:\s*fs.suid_dumpable\s*=\s*0\s*$
+
+======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
+/etc/sysctl.d/99-sysctl.conf:fs.suid_dumpable = 0          # CIS 1.5.1
+
+####
+Control ID: 

New Customer Setup Notes - GovCloud.md

@@ -571,7 +571,28 @@ Note from Brad: Donkey! ( see Shrek 2 Dinner scene. https://www.youtube.com/watc
   
 # Additional tasks:
 
-## Portal Lambda Env Var
+
+## Add Tenant in Customer Portal
+NOTE: This step requires you to be an admin on the customer portal and be on the whitelist. 
+
+#add the new company 
+Companies > Add > 
+
+Name: Full name
+Address: TBD
+Phantom tenant id: Get this from Greg. Possibly in Jira ticket. 
+Short name: (Upper case CustomerPrefix)
+Endpoint min: 0
+Endpoint max: 500
+Gb max: Get this from customer dossier link can be found in the jira ticket for ohantom tenant jira ticket. Look for Splunk Info and size.
+Contract start date: see customer dossier
+Contract end date: see customer dossier
+Idp name: OKTA
+
+
+
+https://portal.xdr.accenturefederalcyber.com/admin/
+## Portal Lambda Env Var for Sync
 
 TODO: improve these steps by working with Wes. 
 Add the customer to the portal lambda env vars. prod/aws-us-gov/mdr-prod-c2/205-customer-portal-lambda/terragrunt.hcl
@@ -579,14 +600,29 @@ Add the customer to the portal lambda env vars. prod/aws-us-gov/mdr-prod-c2/205-
 Also, in Prod Vault, update the Customer Portal Vars
 Vault > portal > lambda_sync_env
 
-The Token is generated by Wes??
+create new fields CUSTOMER_<phantom-tenet-id>_{NAME, Splunk_URL, TOKEN}
+input data into values
+
+To get token:
+you need admin access to customer portal. toekn is auto generated when customer is created in portal.
+Tokens> look for correct customer name. 
 
-Is this accurate???
-in customer splunk SH create svc-portal-data-sync-lambda user. 
+In customer splunk SH create svc-portal-data-sync-lambda user. 
 Name: svc-portal-data-sync-lambda
 Full Name: Portal Data Sync
+Settings>user > new user
 
-
+Name: svc-portal-data-sync-lambda
+Set password: < get from vault>
+Assign Roles: svc_essjobs
+(remove "user" role)
+uncheck: Require password change on first login
+
+### Smoke Test 
+<NOT IMPLEMENTED YET!>
+Have Wes check connectivty to SH. 
+In AWS console, go to mdr-prod-c2-gov, services> lambda> portal_data_sync>
+TODO: finish
 
 ## Splunk configuration
 

OpenVPN Notes.md

@@ -48,6 +48,7 @@ uid
 
 ## OpenVPN License
 
+PROD -> See Salt state.
 TEST -> YOLO via web interface. This means i did not take the time to reconfigure the Salt states to handle a prod and test license. 
 
 

Phantom Notes.md

@@ -10,7 +10,10 @@ postgres log location
 Restart just pgbouncer
 systemctl restart pgbouncer
 
-## Phantom pgbouncer Issue
+## How Do I View Moose Events in Phantom?
+Drop down > Cases > Filter on TENANT > MOOSE
+
+## Phantom pgbouncer Issue (legacy)
 
 ```
 [gc-prod]root@phantom-0:~:# ps -ef | grep pgbouncer | wc -l
@@ -349,9 +352,4 @@ sudo /opt/phantom/bin/start_phantom.sh
 ```
 
 
-### Sidetrack: Versions
-gc-dev-phantom-0: phantom.x86_64             4.9.39220-1
-dev-phantom:      phantom.x86_64             4.9.37880-1
-prod-phantom:     phantom.x86_64             4.9.35731-1
-
 

Phantom Upgrade Notes.md

@@ -1,8 +1,9 @@
 # Phantom Upgrade Notes
 
-During the migiration to GovCloud, we had to use the limited offline rpms. The notes below may be outdated. Reference https://docs.splunk.com/Documentation/Phantom/4.9/Install/UpgradeOffline
 
-Recommend you see the installation notes in `Phantom Notes.md`
+https://docs.splunk.com/Documentation/Phantom/latest/Install/UpgradeOverview
+
+See also: the installation notes in `Phantom Notes.md`
 
 # General Notes
 
@@ -11,7 +12,68 @@ BE SURE TO HAVE AT MOST 55% FREE space  ( 45% used space)
 
 Backup documentation [Restore Splunk Phantom from a backup](https://docs.splunk.com/Documentation/Phantom/4.10.2/Admin/Restorefromabackup)
 
-# 4.10
+# Upgrade Steps
+See Splunk docs!
+
+## Take a backup
+
+Silence Phantom Sensu checks
+
+Stop Phantom 
+`/opt/phantom/bin/stop_phantom.sh`
+
+Take an AWS snapshot in addition to the automatic snapshots! should be for a 500 GB volume ( prod ) or a 60 GB volume ( TEST )
+Naming Scheme: phantom-pre-upgrade-backup-<current-version>
+
+Take a full phantom backup while phantom is running
+`/opt/phantom/bin/start_phantom.sh`
+`/opt/phantom/bin/phenv ibackup --setup`
+`/opt/phantom/bin/phenv ibackup --backup`
+
+## Prerequisites
+Be sure you have enough space!
+`df -h | grep opt`
+
+## Prep 
+
+Stop Phantom 
+`/opt/phantom/bin/stop_phantom.sh`
+
+disable backups
+`sed -i -e 's/archive_mode = on/archive_mode = off/i' /opt/phantom/data/db/postgresql.phantom.conf`
+`grep archive_mode /opt/phantom/data/db/postgresql.phantom.conf`
+
+Clean yum 
+`yum clean all`
+
+install updates excluding nginx. 
+Watch out for the phantom_repo package being updated! Do not update phantom_repo, yet. Reboot if kernal is updated.
+`yum update --exclude=nginx`
+
+Start Phantom
+`/opt/phantom/bin/start_phantom.sh`
+
+Install phantom repo and signing keys
+use either the yum upgrade or the rpm command to upgrade the repo package.
+
+## Upgrade
+This takes a LONG time! 
+Do you want to upgrade apps at the same time? Ask Greg. 
+`/opt/phantom/bin/phantom_setup.sh upgrade --without-apps`
+`/opt/phantom/bin/phantom_setup.sh upgrade`
+
+usually
+TEST - yes apps
+CAASP - yes apps
+PROD - no apps
+
+
+# 4.10.4
+05/2021
+minor upgrade due to known issue with pgbouncer and okta auth. 
+
+
+# 4.10.3
 05/2021
 
 Follow Splunk Docs! 
@@ -19,14 +81,6 @@ Switched XDR from offline RPM install to Phantom repo install
 I had to upgrade to latest version in 4.9 before upgrading to 4.10
 Use tmux to avoid SSH timeout during upgrade?
 
-- stop phantom
-- take aws backup of large phantom EBS volume
-- start phantom
-- take phantom local backup
-- start upgrade proceedures by looking at splunk docs
-
-
-
 # 4.9
 08/2020
 

Portal Notes.md

@@ -16,7 +16,6 @@ salt 'customer-portal*' cmd.run 'docker restart portal nginx'
 
 ```
 salt 'customer-portal*' test.ping
-salt 'customer-portal*' cmd.run 'docker images'
 salt 'customer-portal*' cmd.run 'docker container ls'
 salt 'customer-portal*' cmd.run 'docker stop portal nginx'
 salt 'customer-portal*' cmd.run 'docker rm portal nginx'

Teleport Notes.md

@@ -13,6 +13,7 @@ tsh --proxy=teleport.xdr.accenturefederalcyber.com login
 tsh ls
 tsh --proxy=teleport.xdr.accenturefederalcyber.com ls
 tsh --proxy=teleport.xdrtest.accenturefederalcyber.com ssh caasp-phantom
+tshd scp brad.poulton@sensu.pvt.xdrtest.accenturefederalcyber.com:sensu_support.tgz .
 ```