# Reposerver Notes ## How to add a new package to the reposerver (which we want to move to S3) Conduct security checks on packages: ``` #GPGKey check can be two types of GPG keyrings used on RPM-based systems; RPM or YUM GPG keyring - we use RPM #Import GPG Pub keys to verify signatures in lieu of SHA (if necessary): https://www.redhat.com/sysadmin/rpm-gpg-verify-packages # Upload the file to the reposerver via tsh scp or Web UI tsh --proxy=teleport.xdrtest.accenturefederalcyber.com scp Nessus-10.2.0-es7.x86_64.rpm reposerver.pvt.xdrtest.accenturefederalcyber.com: tsh --proxy=teleport.xdr.accenturefederalcyber.com scp Nessus-10.2.0-es7.x86_64.rpm reposerver.pvt.xdr.accenturefederalcyber.com: cd /var/www/html/redhat/msoc/Packages/ # example of verifying Sensu upgrade wget https://packagecloud.io/sensu/stable/gpgkey # view public gpg key downloaded cat 'name of key' # import the gpgkey into the RPM database for use rpm --import 'name of key' # list the gpg key in the RPM database rpm -qa 'name of key'* # visit site to view original hash of package via URL in this example for Sensu Go Agent 6.8; then download package wget --content-disposition https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-cli-6.8.0-6692.x86_64.rpm/download.rpm # validate package signature with name of the package downloaded rpm -K 'name of package' # validate SHA256 integrity hash and match hash with vendor sha256sum 'name of package' # cleanup old GPGKey associated with package after SHA256 passed and previous version of package - keep the current package version in Repo rm -rf 'name of key' && rm -rf 'name of package' ``` msoc-repo Drop the package(s) that need upgraded into `/var/www/html/redhat/msoc/Packages` and ensure they're owned by `apache` ``` # Multiple Lines sudo -u apache /bin/bash cd /var/www/html/redhat && createrepo msoc exit restorecon -R /var/www/html/redhat/ # Oneliner chown -R apache:apache /var/www/html/redhat/msoc/Packages/ && cd /var/www/html/redhat/ && sudo -u apache createrepo msoc && restorecon -R /var/www/html/redhat/ # Splunk Repo uses the version chown -R apache:apache /var/www/html/splunk/8.2/ && cd /var/www/html/splunk/ && sudo -u apache createrepo 8.2 && restorecon -R /var/www/html/splunk/8.2 # Tenable Repo chown -R apache:apache /var/www/html/tenable/ && cd /var/www/html/ && sudo -u apache createrepo tenable && restorecon -R /var/www/html/tenable ``` ``` # From target server; clean out the cache yum clean all && yum makecache fast # From target server; view the available packages yum --disablerepo="*" --enablerepo="msoc" list available yum --disablerepo="*" --enablerepo="tenable" list available yum --disablerepo="*" --enablerepo="splunk" list available # From target server yum install 'name of package' ``` ## splunk repo 05/06/2020 Defined in salt/fileroots/splunk/new_install.sls /etc/yum.repos.d/splunk.repo http://reposerver.msoc.defpoint.local/splunk New Splunk Version Splunk 7.2 needs to be created for PROD moose ``` cd /var/www/html/splunk mkdir 7.2 chown -R apache: . cd 7.2 wget -O splunk-7.2.5.1-962d9a8e1586-linux-2.6-x86_64.rpm 'https://www.splunk.com/page/download_track?file=7.2.5.1/linux/splunk-7.2.5.1-962d9a8e1586-linux-2.6-x86_64.rpm&ac=&wget=true&name=wget&platform=Linux&architecture=x86_64&version=7.2.5.1&product=splunk&typed=release' chown -R apache: . cd /var/www/html/splunk/7.2 sudo -u apache createrepo `pwd` restorecon -R /var/www/html/splunk ```