Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b96146e0b2
Branches Tags
infrastructure-...
/
Packer Salt Master FIPS Notes.md

Packer Salt Master FIPS Notes.md 2.1 KB
History Raw

Packer Salt Master FIPS Notes

check for FIPS cat /proc/sys/crypto/fips_enabled 1

Latest in test: MSOC_RedHat_Master_201909301534 Latest in prod: MSOC_RedHat_Master_201907012051

move this terraform/02-msoc_vpc/conf/provision_salt_master.sh

to here packer/rhel7_hardened_saltmaster_ami.json

AWS_PROFILE=mdr-test aws secretsmanager get-secret-value --secret-id saltmaster/ssh_key --query SecretString --output text

Build error ==> master: + sudo firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp

master: success

==> master: + sudo firewall-cmd --reload ==> master: + sudo systemctl enable salt-master

master: success

==> master: Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service. ==> master: /home/centos/script_7740.sh: line 56: unexpected EOF while looking for matching `"' ==> master: Provisioning step had errors: Running the cleanup provisioner, if present... ==> master: Terminating the source AWS instance...

test instance packer_5e700a93-aa62-0731-0405-1488fc6aa8

PROD Steps Document the salt keys currently accepted to ensure they all come back. poweroff salt-master create snapshot of salt-master EBS check on TF plan terminate salt-master use TF to re-create salt-master log into salt-master via bastion + msoc_build key wait for cloud-init scripts to finish running wait for state.highstate to finish running (like solid 15 minutes) verify cloud-init scripts completed successfully (check on stuff) /var/lib/cloud/instance/scripts/part-002 Ensure vault.conf is not foobar and messing up pillars if needed run salt_master state like this salt-call state.sls salt_master salt salt* pillar.item my-pillar salt-call state.sls os_modifications.ssh_motd salt-call state.sls os_modifications.ssh_banner salt-call state.sls sensu_agent

clean up SFT and remove old salt-master

restart local minions via SSM/SSH pop nodes should reconnect to elastic IP of salt master ( no DNS issue)

Run with SSM systemctl restart salt-minion

"missing" minions github-enterprise-0 qualys_scanner qualys_scanner_2