Note Updates

Customer Search Head Notes.md

@@ -0,0 +1,69 @@
+# Customer Search Head Notes
+
+To add a customer-facing search head (including one for qmulos or qcontrol):
+
+## Okta Setup - Directory -> Groups
+
+1. In Okta Admin, go to directory->groups
+1. Add a Group, such as 'FRTIB'
+1. Review the Rules tab, reviewing the group for 'Federated Users are Splunk Users'.
+
+## Okta Setup - Security -> Identity Providers
+
+1. In Okta Admin, go to Security->Identity Providers
+1. Add a provider. Follow one of the examples. For now, make up the customer's IdP URLs and use any certificate you can find temporarily. YOu'll get the real certificate from teh customer later.
+1. Expand the new IdP and download the metadata. Send it to the customer and ask for:
+  * IdP Issuer URI (EntityID)
+  * IdP Single Sign-on URL (Authn endpoint)
+  * IdP Signature Certificate
+1. In the Routing Rules tab, set up a new routing rule with the assigned prefix.
+
+Notes:
+Okta also has configuration for Federated Users under:
+* Security->Multifactor, Factor Enrollment tab. Federated Users are excluded from enrollment.
+* Security->Authentication, Sign On tab. Federated users are excluded from MFA.
+
+## Create the Application for the Search Head
+
+1. Use our script to create the app in okta
+```
+cd ~/msoc-infrastructure/tools/okta_app_maker
+OKTA_API_TOKEN=blah ./okta_app_maker.py 'FRTIB Splunk Customer SH [Prod]' https://search.frtib.xdr.accenturefederalcyber.com
+```
+1. Edit ~/msoc-infrastructure/salt/pillar/CUST_variables.sls
+1. Paste the info from the script and updates the `if` clause
+1. Submit your PR to develop, then to master.
+1. Edit the application in okta:
+  * Fix the icon
+  * Assign the groups: CUST, mdr-engineers, mdr-admins, (Maybe more?)
+
+## Add the customer SH to the customer
+
+```
+cd ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-CUST
+cp -a ~/xdr-terraform-live/test/aws-us-gov/mdr-test-modelclient/190-splunk-customer-searchhead .
+cd 190-splunk-customer-searchhead/
+rm -rf .terragrunt-cache/
+vim terragrunt.hcl
+# update tag to latest
+vim ../account.hcl
+# Add "splunk-cust-sh" to instance_types
+# Add to splunk_volume_sizes:
+    "customer_searchhead" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 60, # No minimum; not in base image
+    },
+```
+
+Do a PR, get approval, then terraform, highstate, and proceed as usual.
+
+## When Metadata from Customer is Received
+
+Update the IdP configuration in okta and test.

Postfix Notes.md

@@ -0,0 +1,7 @@
+# Postfix Notes
+
+To test SSL on 25:
+```
+openssl s_client -tls1_2 -connect localhost:25 -starttls smtp
+```
+

Salt Notes.md

@@ -91,6 +91,11 @@ To excludes states within an sls, use a map, like this one which runs all the st
 salt -C '*indexer* or *idx*' state.sls splunk.indexer test=true --output-diff --timeout=300 exclude="[{'id': '/opt/splunk/etc/system/local/server.conf'}]"
 ```
 
+This is a usseful one for doing everything but restarting splunk:
+```
+salt '*splunk*' state.highstate --output-diff test=true exclude="[{'id': 'big_bounce'}, {'id': 'restart_splunk'}]"
+```
+
 
 ---- 
 Random - [Extending External SLS Data](https://docs.saltproject.io/en/latest/ref/states/extend.html)

VMRay Notes.md

@@ -9,16 +9,53 @@ VMRay Analyzer is a tool to detonate malware in a controlled environment.
 
 ## Generalized Architecture
 
-VMRay Analyzer consists of a VMRay Server, which coordinates the use of other systems, and one or more _bare metal_ worker machines on which malware detonates. The systems run Ubuntu 18.04 LTS.
-
-The system is deployed in its own VPC in the GovCloud C&C accounts (one for prod, one for test)
-
-## Documentation
-
-* [On-Prem_Hardware_Sizing_Estimate.xlsx](files/vmray/On-Prem_Hardware_Sizing_Estimate.xlsx)
-* [VMRay v3.3.0 Admin Guide](files/vmray/vmray-onprem-admin-guide-v3.3.0.pdf)
-
-## Integrations
-
-Integrated with Phantom
-
+VMRay Analyzer consists of a VMRay Server, which coordinates the use of other systems, and one or more _bare metal_ worker machines on which malware detonates. The systems run Ubuntu 20.04 LTS.
+
+The system is deployed in its own account in GovCloud (one for prod, one for test)
+
+# Source
+
+documentation and downloads are at: https://portal.vmray.com/customer/login?
+
+### Install Log
+
+```
+sudo ua attach <private>
+sudo ua enable --assume-yes cis fips fips-updates
+sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
+sudo apt update && sudo apt upgrade
+sudo reboot
+
+
+sudo -H pip3 install --upgrade awscli
+sudo -H pip3 install --upgrade --force-reinstall awscli
+sudo find /usr/local/lib -type f -exec chmod o+r {} \;
+aws --region us-gov-east-1 s3 cp s3://afsxdr-binaries/VMRay/extended-kvm-4.2.1.zip .
+aws --region us-gov-east-1 s3 cp s3://afsxdr-binaries/VMRay/vmray-4.2.1.zip .
+sudo mkdir /usr/local/src/vmray/
+sudo chown centos /usr/local/src/vmray/
+sudo mv *.zip /usr/local/src/vmray/
+cd /usr/local/src/vmray
+unzip extended-kvm-4.2.1.zip
+unzip vmray-4.2.1.zip
+sudo bash install.sh
+```
+
+For server:
+```
+Do you want to install or update VMRay Platform Server on this machine (y/n)? y
+Do you want to install or update VMRay Platform Worker on this machine (y/n)? n
+Do you want to perform an offline installation? (y/n)? n
+Do you want to continue (y/n)? y
+```
+
+For the worker:
+```
+Do you want to install or update VMRay Platform Server on this machine (y/n)? n
+Do you want to install or update VMRay Platform Worker on this machine (y/n)? y
+Do you want to install or update Extended KVM on this machine (y/n)? y
+Do you want to perform an offline installation? (y/n)? n
+Do you want to continue (y/n)? y
+```
+
+... Then back to admin guide for now.