4 年之前 · 88da4b851f
--- a/Audit.md
+++ b/Audit.md
@@ -41,7 +41,7 @@ Does the CIS Hardening
 
				 
			
 
				  Both AWS and Vmware are using the masterless salt. 
			
 
				 
			
 
				-Commands run in PROD Sensu is guiena pig
			
 
				+Commands run in PROD Sensu/Vault are guiena pigs
			
 
				 First Group pushed to PROD
			
 
				 salt sensu* state.sls os_modifications.auditd --output-diff
			
 
				 salt sensu* state.sls os_modifications.timezone --output-diff
			
@@ -53,7 +53,11 @@ salt sensu* state.sls os_modifications.fstab --output-diff
 
				 salt sensu* state.sls os_modifications.sysctl --output-diff
			
 
				 salt sensu* state.sls os_modifications.rsyslog --output-diff
			
 
				 
			
 
				+Second Group is 
			
 
				+salt vault*
			
 
				 
			
 
				+Third Group is limited internal, no customers.
			
 
				+salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or nihor* or bp-ot-demo* or bas-* or doed* or ca-c19* or frtib* or dgi* or threatq* or customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0* )' 
			
 
				 
			
 
				 
			
 
				 
			
@@ -123,7 +127,18 @@ salt vault-1* state.sls os_modifications.journald saltenv=feature/bp_MSOCI-1676_
 
				 #fix securetty
			
 
				 salt vault-1* state.sls os_modifications.securetty saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
			
 
				 
			
 
				+#fix pam password remember
			
 
				+salt vault-1* state.sls os_modifications.tty_history saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
			
 
				 
			
 
				+#fix timeout
			
 
				+salt vault-1* state.sls os_modifications.timeout saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
			
 
				+
			
 
				+#fix umask
			
 
				+salt vault-1* state.sls os_modifications.umask saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
			
 
				+
			
 
				+#Fix unowned files and dirs
			
 
				+salt vault-1* cmd.run 'rm -rf /home/shahid_mahmood'
			
 
				+salt vault-1* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
			
 
				 
			
 
				 ```
			
 
				 
			
--- a/Notes.md
+++ b/Notes.md
@@ -7,7 +7,7 @@ See also: the installation notes in `Phantom Notes.md`
 
				 
			
 
				 # General Notes
			
 
				 
			
 
				-Use the `Splunk Phantom` repo, not the `msoc` repo.
			
 
				+Use the Splunk provided `Splunk Phantom` repo, not the XDR managed `msoc` repo.
			
 
				 BE SURE TO HAVE AT MOST 55% FREE space  ( 45% used space)
			
 
				 
			
 
				 Backup documentation [Restore Splunk Phantom from a backup](https://docs.splunk.com/Documentation/Phantom/4.10.2/Admin/Restorefromabackup)
			
@@ -69,24 +69,27 @@ Clean yum
 
				 
			
 
				 install updates excluding nginx. 
			
 
				 Watch out for the phantom_repo package being updated! Do not update phantom_repo, yet. If phantom is not running i don't think the package upgrade succeeds. Reboot if kernal is updated.
			
 
				-`yum update --exclude=nginx`
			
 
				+`yum update --exclude=nginx --disablerepo phantom-base`
			
 
				 `shutdown -r now`
			
 
				 
			
 
				-Start Phantom
			
 
				+Start Phantom ( should be already started due to reboot )
			
 
				 `/opt/phantom/bin/start_phantom.sh`
			
 
				 
			
 
				 Install phantom repo and signing keys
			
 
				-use either the yum upgrade or the rpm command to upgrade the repo package. ( RPM preferred )
			
 
				+use the rpm command to upgrade the repo package. ( RPM preferred )
			
 
				 
			
 
				 `rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7Server/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm`
			
 
				 
			
 
				-`rpm -Uvh https://repo.phantom.us/phantom/4.10/base/7Server/x86_64/phantom_repo-4.10.4.56260-1.x86_64.rpm`
			
 
				+`rpm -Uvh https://repo.phantom.us/phantom/4.10/base/7Server/x86_64/phantom_repo-4.10.6.61906-1.x86_64.rpm`
			
 
				 
			
 
				 ## Upgrade
			
 
				-This takes a LONG time! Use nohup to background the process to avoid SSH timeout issue. Ask Splunk Support for nohup command. 
			
 
				+This takes a LONG time! Use nohup to background the process to avoid SSH timeout issue. Ask Splunk Support for nohup command. ALTERNATE: Use TMUX to keep session alive. 
			
 
				 `/opt/phantom/bin/phantom_setup.sh upgrade --without-apps --no-space-check`
			
 
				 
			
 
				-SUGGESTED: Open one virtical split window and one horizontal split window in xterm/tmux to watch the upgrade, watch the size of /tmp and watch the /var/log/phantom/phantom_install_log.
			
 
				+SUGGESTED: Open one vertical split window and one horizontal split window in xterm/tmux to watch the upgrade, watch the size of /tmp and watch the /var/log/phantom/phantom_install_log.
			
 
				+`tail -f /var/log/phantom/phantom_install_log`
			
 
				+
			
 
				+NOTE: You should ignore the "Complete!" messages. They are not indicating that the whole upgrade is complete. They are indicating that one RPM package has been upgraded. 
			
 
				 
			
 
				 Upgrade apps after a successful upgrade. 
			
 
				 
			
@@ -97,6 +100,10 @@ Upgrade apps after a successful upgrade.
 
				 - verify connectivity to github
			
 
				 - 
			
 
				 
			
 
				+# 4.10.6
			
 
				+08/2021
			
 
				+minor upgrade to upgrade Nginx due to Vuln scanner. Also removes use of TLSv1.1
			
 
				+
			
 
				 # 4.10.4
			
 
				 05/2021
			
 
				 minor upgrade due to known issue with pgbouncer and okta auth. 
			
--- a/Notes.md
+++ b/Notes.md
@@ -22,6 +22,8 @@ What variables are in the actual process environment (2289 process ID)
 
				 
			
 
				 Check connections. See the TCP state diagram
			
 
				 `netstat -pant | egrep SYN_SENT`
			
 
				+Alternate command?
			
 
				+`ss -4 | egrep SYN`
			
 
				 SYN_SENT is the state waiting for the destination. 
			
 
				 
			
 
				 Look for the pid in the output and see if it matches your process.