e.g. RHEL patch update for TSSA
Renew 0901
READY INFO
========================================================
Date 00906
System 3ECC
OS Ver RHEL 7.9 20220728
Backup rear Wait for Rhine's signal
Time 1800
TICPrimary Wan, Ram Cheuk Ka
TICBackup Wong, Alfred Pui Hong
RFS# 480709
PCL XXXXXX
Ignore XXXXXX
Run down XXXXXX
TSSA Job OP-RH7-2022H2-3ECC-P-01
Password XXXXXX
Hostname IP Pending Exception Excepted Rule
uadecc21
uadecc20
-----------------------
Command install:
-----------------------
====================================
run analysis in TSSA before OP RHEL
====================================
Ill apply RHEL 8.6 patch update to 3ECC hosts below now.
Kindly note RHEL 8.6 patch update to 3ECC hosts completed.
Ill apply RHEL 7 patch update to 3ECC hosts below now.
Kindly note RHEL 7 patch update to 3ECC hosts completed.
======================================================
1: checking
(status check)
more /etc/redhat-release;uname -a;date;uptime;rpm -qa kernel;df -h|egrep -v 'overlay|shm|tmpfs';ls -ld /BE*;cat /etc/rear/local.conf;cd /etc/yum.repos.d;ls;vgs;lvs;ls-l /sysbackup;more iso.repo;crontab -l
cut photo (1,2)
uptime; date; uname -a; cat /etc/redhat-release;rpm -qa kernel ;df -h |egrep -v "shm|tmpfs|overlay"
su operator
------------------------------------------
2. take snapshot after shutdown host.
(way 1)
rear -v mkbackup
## download ISO file to D:\Chi\ISO_Backup
## ISO location /sysbackup
## cat /etc/rear/local.conf
Copy iso for Daily backup to local pc :
/sysbackup
(way 2)
# vgs;lvs ###check
VG #PV #LV #SN Attr VSize VFree
rhel 1 4 0 wz--n- 103.88g 8.00m ( free space > 30G )
#remove old backup
lvremove /dev/rhel/root_snap
lvremove /dev/rhel/var_snap
lvremove /dev/rhel/home_snap
#create snapshot and check snapshot
lvcreate --size 10G --snapshot --name root_snap /dev/rhel/root
lvcreate --size 10G --snapshot --name var_snap /dev/rhel/var
lvcreate --size 6G --snapshot --name home_snap /dev/rhel/home
(way 3)
create snapshot in vCentre(delete snapshot after 3 days)
https://hkgviwvt-03.hkg.hkbea.com
login vCenter
vm snapshot mark name format:
RFS 473710 Before RHEL 7.9 Patch update - 20220826
Des
hkg\tctr972
Remove after 29-AUG-2022 due to
------------------------------------------
3: OS Patch in TSSA
create folder, create job,Name format:
dep name : OP-RH7-2022H2-3ECC-U-01
4:
uptime
Reboot
-----------
5: checking
(status check)
more /etc/redhat-release;uname -a;date;uptime;rpm -qa kernel;df -h|egrep -v 'overlay|shm|tmpfs';ls -ld /BE*;cat /etc/rear/local.conf;cd /etc/yum.repos.d;ls;vgs;lvs;ls-l /sysbackup;more iso.repo;crontab -l
cut photo (1,2)
uptime; date; uname -a; cat /etc/redhat-release;rpm -qa kernel ;df -h |egrep -v "shm|tmpfs|overlay"
su operator
=====================
6-1: sshd weak
sshd -T | grep kex
cp -rp /etc/ssh/sshd_config /etc/ssh/sshd_config_20220826
vi /etc/ssh/sshd_config
#weak key
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
Here is the list of weak algorithms to be removed as per Nessus scanning result:
1. diffie-hellman-group-exchange-sha1
2. diffie-hellman-group1-sha1
3. gss-gex-sha1-*
4. gss-group1-sha1-*
5. gss-group14-sha1-*
6. rsa1024-sha1
# check edit
cat /etc/ssh/sshd_config | grep KexAlgorithms
systemctl restart sshd
----------------------------
6-2: ssh weak
ssh -Q kex
cp -rp /etc/ssh/sshd_config /etc/ssh/ssh_config_20220826
vi /etc/ssh/ssh_config
#ssh weak key
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
#checking
ssh -vvv 127.0.0.1
============================================
8: Baseline:
check///G:\USST\Inventory\info-4.xlsm
(bypass:7,16,23)
/opt/scripts/pcs/RHL_RE_Baseline.sh
cd /opt/logs/hardening/report/
cd /opt/logs/hardening/Checklist
tail /opt/logs/hardening/Checklist/Config_Chklist_20220819.txt
tail /opt/logs/hardening/Checklist/Config_Chklist_20220826.txt
-------------------point 3 ------------------
### View Detail
more /opt/logs/hardening/report/hardening_report_20220826.txt
#change name if size is 0.
ls -al /etc/cron.deny*
mv /etc/cron.deny /etc/cron.deny.20220826
------------------point 7----------------
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L7_nousr.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L7_nousr_diff_rslt.txt
------------------16-------------------
| Creating list of World Writable Directory ...
| Creating list of World Writable File ...
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwd.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwf.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwd_diff_rslt.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_nousr_wwf_rslt.txt
----------4.1.3-----------------
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules20220826
cp /etc/audit/audit.rules /etc/audit/audit.rules20220826
vi /etc/audit/rules.d/audit.rules
vi /etc/audit/audit.rules
--replace below---
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog notice {these two are mutually exclusive}
-f 1
## Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
## Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
## Record unauthorized access attempts to files
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
## Record files deletion events by User
-w /etc/sudoers -p wa -k actions
# Audit all commands
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
## Make the configuration immutable
##-e 2
======================================================
===============================================
running in backgroup
nohup /opt/scripts/pcs/RHL_RE_Baseline.sh &
##or
/opt/scripts/pcs/RHL_RE_Baseline.sh &
================================================
PCL (Details )
BAU
UAT tested; Regular OS patch
very low
3UNX
time
RFS476905
3ECC1
PATCH - RHEL 7.9 20220728 patch update for 3ECC
=======================================================================
--------------------------------
3icp host stop service command:
systemctl disable kubelet
systemctl disable docker
--------------------------------
Kevin Fan
2022-09-06
READY INFO
========================================================
Date 00906
System 3ECC
OS Ver RHEL 7.9 20220728
Backup rear Wait for Rhine's signal
Time 1800
TICPrimary Wan, Ram Cheuk Ka
TICBackup Wong, Alfred Pui Hong
RFS# 480709
PCL XXXXXX
Ignore XXXXXX
Run down XXXXXX
TSSA Job OP-RH7-2022H2-3ECC-P-01
Password XXXXXX
Hostname IP Pending Exception Excepted Rule
uadecc21
uadecc20
-----------------------
Command install:
-----------------------
====================================
run analysis in TSSA before OP RHEL
====================================
Ill apply RHEL 8.6 patch update to 3ECC hosts below now.
Kindly note RHEL 8.6 patch update to 3ECC hosts completed.
Ill apply RHEL 7 patch update to 3ECC hosts below now.
Kindly note RHEL 7 patch update to 3ECC hosts completed.
======================================================
1: checking
(status check)
more /etc/redhat-release;uname -a;date;uptime;rpm -qa kernel;df -h|egrep -v 'overlay|shm|tmpfs';ls -ld /BE*;cat /etc/rear/local.conf;cd /etc/yum.repos.d;ls;vgs;lvs;ls-l /sysbackup;more iso.repo;crontab -l
cut photo (1,2)
uptime; date; uname -a; cat /etc/redhat-release;rpm -qa kernel ;df -h |egrep -v "shm|tmpfs|overlay"
su operator
------------------------------------------
2. take snapshot after shutdown host.
(way 1)
rear -v mkbackup
## download ISO file to D:\Chi\ISO_Backup
## ISO location /sysbackup
## cat /etc/rear/local.conf
Copy iso for Daily backup to local pc :
/sysbackup
(way 2)
# vgs;lvs ###check
VG #PV #LV #SN Attr VSize VFree
rhel 1 4 0 wz--n- 103.88g 8.00m ( free space > 30G )
#remove old backup
lvremove /dev/rhel/root_snap
lvremove /dev/rhel/var_snap
lvremove /dev/rhel/home_snap
#create snapshot and check snapshot
lvcreate --size 10G --snapshot --name root_snap /dev/rhel/root
lvcreate --size 10G --snapshot --name var_snap /dev/rhel/var
lvcreate --size 6G --snapshot --name home_snap /dev/rhel/home
(way 3)
create snapshot in vCentre(delete snapshot after 3 days)
https://hkgviwvt-03.hkg.hkbea.com
login vCenter
vm snapshot mark name format:
RFS 473710 Before RHEL 7.9 Patch update - 20220826
Des
hkg\tctr972
Remove after 29-AUG-2022 due to
------------------------------------------
3: OS Patch in TSSA
create folder, create job,Name format:
dep name : OP-RH7-2022H2-3ECC-U-01
4:
uptime
Reboot
-----------
5: checking
(status check)
more /etc/redhat-release;uname -a;date;uptime;rpm -qa kernel;df -h|egrep -v 'overlay|shm|tmpfs';ls -ld /BE*;cat /etc/rear/local.conf;cd /etc/yum.repos.d;ls;vgs;lvs;ls-l /sysbackup;more iso.repo;crontab -l
cut photo (1,2)
uptime; date; uname -a; cat /etc/redhat-release;rpm -qa kernel ;df -h |egrep -v "shm|tmpfs|overlay"
su operator
=====================
6-1: sshd weak
sshd -T | grep kex
cp -rp /etc/ssh/sshd_config /etc/ssh/sshd_config_20220826
vi /etc/ssh/sshd_config
#weak key
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
Here is the list of weak algorithms to be removed as per Nessus scanning result:
1. diffie-hellman-group-exchange-sha1
2. diffie-hellman-group1-sha1
3. gss-gex-sha1-*
4. gss-group1-sha1-*
5. gss-group14-sha1-*
6. rsa1024-sha1
# check edit
cat /etc/ssh/sshd_config | grep KexAlgorithms
systemctl restart sshd
----------------------------
6-2: ssh weak
ssh -Q kex
cp -rp /etc/ssh/sshd_config /etc/ssh/ssh_config_20220826
vi /etc/ssh/ssh_config
#ssh weak key
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
#checking
ssh -vvv 127.0.0.1
============================================
8: Baseline:
check///G:\USST\Inventory\info-4.xlsm
(bypass:7,16,23)
/opt/scripts/pcs/RHL_RE_Baseline.sh
cd /opt/logs/hardening/report/
cd /opt/logs/hardening/Checklist
tail /opt/logs/hardening/Checklist/Config_Chklist_20220819.txt
tail /opt/logs/hardening/Checklist/Config_Chklist_20220826.txt
-------------------point 3 ------------------
### View Detail
more /opt/logs/hardening/report/hardening_report_20220826.txt
#change name if size is 0.
ls -al /etc/cron.deny*
mv /etc/cron.deny /etc/cron.deny.20220826
------------------point 7----------------
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L7_nousr.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L7_nousr_diff_rslt.txt
------------------16-------------------
| Creating list of World Writable Directory ...
| Creating list of World Writable File ...
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwd.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwf.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_wwd_diff_rslt.txt
cat /opt/logs/hardening/report/hardening_report_20220826_dir_file/hardening_report_20220826_L16_nousr_wwf_rslt.txt
----------4.1.3-----------------
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules20220826
cp /etc/audit/audit.rules /etc/audit/audit.rules20220826
vi /etc/audit/rules.d/audit.rules
vi /etc/audit/audit.rules
--replace below---
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog notice {these two are mutually exclusive}
-f 1
## Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
## Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
## Record unauthorized access attempts to files
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
## Record files deletion events by User
-w /etc/sudoers -p wa -k actions
# Audit all commands
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
## Make the configuration immutable
##-e 2
======================================================
===============================================
running in backgroup
nohup /opt/scripts/pcs/RHL_RE_Baseline.sh &
##or
/opt/scripts/pcs/RHL_RE_Baseline.sh &
================================================
PCL (Details )
BAU
UAT tested; Regular OS patch
very low
3UNX
time
RFS476905
3ECC1
PATCH - RHEL 7.9 20220728 patch update for 3ECC
=======================================================================
--------------------------------
3icp host stop service command:
systemctl disable kubelet
systemctl disable docker
--------------------------------
Kevin Fan
2022-09-06
浙公网安备 33010602011771号