• List of iSCSI Mutual CHAP Posts by OS
  • Tools and Utilities for Windows
  • Unix and Linux Distros

slice2

slice2

Tag Archives: Security

Patch Alma Linux 8.7 on an Offline or Air-Gapped System

03 Friday Feb 2023

Posted by Slice2 in Linux, Security

≈ Leave a comment

Tags

Linux, Security

So you’ve successfully switched from CentOS to Alma Linux and your hosts are on an isolated network. This post demonstrates how to patch a Alma Linux 8.7 host when it doesn’t have internet access or is an isolated system with no access to a yum repo.

On a host with internet access (Public facing host), perform the following steps. I used a Alma Linux 8.7 VM running on Windows 11 and VirtualBox 7.0.6. As long as you have internet access, any rpm based Linux distro will do as long as it has rsync, genisoimage, and yum-utils.

1) Make sure you have rsync, genisoimage and yum-utils installed. If not install them.

> sudo rpm -q genisoimage-*
genisoimage-1.1.11-39.el8.x86_64

> sudo rpm -q yum-utils
yum-utils-4.0.21-11.el8.noarch

> sudo rpm -q rsync
rsync-3.1.3-14.el8_6.2.x86_64

a) If not, install them.

> sudo yum install genisoimage
> sudo yum install yum-utils
> sudo yum install rsync

2) On your internet facing host, create folders for the repos and packages you need. You can specify any folder(s) you require. I require the repos below, but you may need packages installed from other repos so create those folders. Most people only need BaseOS and AppStream. The “updates” repo is no longer used in 8x and has been removed. Updated packages are just placed in their regular repo and not separated. The full list can be found on a mirror site like this one I use https://mirrors.rit.edu/almalinux/8.7/ but you can use any mirror you like.

a) Create the folders locally and harvest the data from the mirror site using rsync. Note that these folders will create an approx 35 Gig ISO file in step 3. You need a Blu-ray burner or USB drive to move the file to your air-gapped hosts. Also make sure the filesystem you write the ISO to has enough space. Note that there are two dashes before “- -“progress below, not one. It renders as one dash so make sure you have two dashes before progress or just remove that option from your cli. I have noticed that if you copy/paste from html to PuTTY or a terminal window and the rsync command fails, you have to backspace over the dashes in front of “avrt” and “progress” and retype them.

> sudo mkdir -pv /repo/BaseOS
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/almalinux/8.7/BaseOS/x86_64/os/ /repo/BaseOS

> sudo mkdir -pv /repo/AppStream
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/almalinux/8.7/AppStream/x86_64/os/ /repo/AppStream

3) Use genisoimage to create an ISO of the whole set. Note that in the command below, I write this ISO image to a VirtualBox shared folder mounted at /media/sf_vboxshare. Use any path you like as long as it is big enough. The syntax is: genisoimage cli options – location and name of ISO file to be created and files/folders to be included in the ISO.

> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /media/sf_vboxshare/AlmaLinux8.7.repo.2023FEB03.iso /repo

4) Burn the ISO (as a file, not as an extracted image) to a Blu-ray, or copy to a USB drive and move it to the offline or air-gapped host. Since I have VMs, I will automount the ISO to the VM. If you need to mount the ISO on a host with a Blu-ray, USB drive, or from the local filesystem, the next three steps outline how to do it.

a) Mount the ISO on your offline or air-gapped system. You have options if you don’t automount ISOs. If your host is a VM, mount it as your hypervisor dictates. You can copy the ISO to the local filesystem and mount it. Or, manually mount the ISO from a local or USB attached Blu-ray or USB drive.

b) If copied to the local file system:

> sudo mkdir /mnt/iso
> sudo mount -t iso9660 -o loop /home/repouser/AlmaLinux8.7.repo.2023FEB03.iso /mnt/iso/

c) If mounted via usb drive or if automount is not enabled:

> sudo mkdir /mnt/iso
> sudo blkid (to find your cd/dvd device, chances are its /dev/sr0)
> mount /dev/sr0 /mnt/iso/

d) Verify your mount. The “Mounted on” path is important because it is used below when you create the local.repo file.

> sudo df -h /dev/loop0
Filesystem Size Used Avail Use% Mounted on
/dev/loop0 35G 35G 0 100% /mnt/iso

> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 35G 35G 0 100% /mnt/iso

If automounted it could look like this:
> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 35G 35G 0 100% /run/media/root/CDROM

e) List the repos that will be used to create the local.repo file. Depending on how you mounted the ISO above (manual or automount), your /dev/sr0 mountpoint will be different. You simply need to adjust the baseurl path in local.repo in the next step.

> sudo ls -l /mnt/iso
or…
> sudo ls -l /run/media/repouser/CDROM
dr-xr-xr-x. 4 root root 2048 Jan 27 02:14 AppStream
dr-xr-xr-x. 7 root root 2048 Jan 27 02:14 BaseOS

5) Create a repos archive folder if it doesn’t already exist. Move existing *.repo files to the archive folder for safe keeping and create the new local.repo file.

> sudo mkdir -pv /etc/yum.repos.d/archive
> cd /etc/yum.repos.d/
> sudo /bin/mv *.repo archive/
> sudo vi local.repo

Copy/paste everything below between the # Start custom local.repo file # header and footer into the local.repo and wq! to save the file. Note the baseurl= file path. Edit this path based on how you mounted in step 4d above. Since I automounted the ISO in a VM, I used the ///run/media/root/CDROM/”repo name” path format.

If automounted, its baseurl=file:///run/media/root/CDROM/repo name/
If manually mounted, its baseurl=file:///mnt/iso/repo name/

# Start custom local.repo file #

[baseos-source]
name=AlmaLinux $releasever – BaseOS Source
baseurl=file:///run/media/root/CDROM/BaseOS
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream-source]
name=AlmaLinux $releasever – AppStream Source
baseurl=file:///run/media/root/CDROM/AppStream
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

# End custom local.repo file #

6) Update the host and reboot. If you get errors trying to run yum update due to gpg checks, just comment out gpgkey and change gpgcheck to 0 in the local.repo file, and then run yum update again. Or, you can download the key here https://mirrors.rit.edu/almalinux/RPM-GPG-KEY-AlmaLinux-8 and place it in /etc/pki/rpm-gpg.

a) Configure the repo and update.
> yum clean all
> yum repolist all
repo id repo name status
appstream-source AlmaLinux 8 – AppStream Source enabled
baseos-source AlmaLinux 8 – BaseOS Source enabled

> yum update

Transaction Summary
====================================================
Install 5 Packages
Upgrade 138 Packages

Total size: 450 M
Is this ok [y/N]: y
Downloading Packages:

b) If you get gpg errors, verify that you have the keys installed. The green key below is the one used in the gpgkey= path above in local.repo. If not installed, comment out gpgkey= and set gpgcheck to 0 in the local.repos file above or download the keys and copy to /etc/pki/rpm-gpg/.

> sudo gpg -quiet –show-keys /etc/pki/rpm-gpg/*
gpg: out of core handler ignored in FIPS mode
pub rsa4096 2021-01-12 [C] [expires: 2024-01-12]
5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8
uid AlmaLinux <packager@almalinux.org>
sub rsa3072 2021-01-12 [S] [expires: 2024-01-12]

pub rsa4096 2009-02-24 [SC]
B08B659EE86AF623BC90E8DB938A80CAF21541EB
uid Red Hat, Inc. (beta key 2) <security@redhat.com>

pub rsa4096 2009-10-22 [SC]
567E347AD0044ADE55BA8A5F199E2F91FD431D51
uid Red Hat, Inc. (release key 2) <security@redhat.com>

> reboot

c) After reboot, eject the ISO if still mounted.
> umount /dev/sr0

Patch Rocky Linux 8.6 on an Offline or Air-Gapped System

30 Saturday Jul 2022

Posted by Slice2 in Linux, Security

≈ Leave a comment

Tags

Linux, Security

So you’ve successfully switched from CentOS to Rocky Linux and your hosts are on an isolated network. This post demonstrates how to patch a Rocky Linux 8.6 host when it doesn’t have internet access or is an isolated system with no access to a yum repo.

On a host with internet access (Public facing host), perform the following steps. I used a Rocky Linux 8.6 VM running on Windows 11 and VirtualBox 6.1.36. As long as you have internet access, any rpm based Linux distro will do as long as it has rsync, genisoimage, and yum-utils.

1) Make sure you have rsync, genisoimage and yum-utils installed. If not install them.

> sudo rpm -q genisoimage-*
genisoimage-1.1.11-39.el8.x86_64

> sudo rpm -q yum-utils
yum-utils-4.0.21-11.el8.noarch

> sudo rpm -q rsync
rsync-3.1.3-14.el8_6.2.x86_64

a) If not, install them.

> sudo yum install genisoimage
> sudo yum install yum-utils
> sudo yum install rsync

2) On your internet facing host, create folders for the repos and packages you need. You can specify any folder(s) you require. I require the repos below, but you may need packages installed from other repos so create those folders. Most people only need BaseOS and AppStream. The “updates” repo is no longer used in 8x and has been removed. Updated packages are just placed in their regular repo and not separated. The full list can be found on a mirror site like this one I use: https://mirrors.rit.edu/rocky/8.6/

a) Create the folders locally and harvest the data from the mirror site using rsync. Note that these folders will create an approx 19 Gig ISO file in step 3. You need a Blu-ray burner or USB drive to move the file to your air-gapped hosts. Also make sure the filesystem you write the ISO to has enough space. Note that there are two dashes before “- -“progress below, not one. It renders as one dash so make sure you have two dashes before progress or just remove that option from your cli.

> sudo mkdir -pv /repo/BaseOS
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/BaseOS/x86_64/os/ /repo/BaseOS

> sudo mkdir -pv /repo/AppStream
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/AppStream/x86_64/os/ /repo/AppStream

> sudo mkdir -pv /repo/PowerTools
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/PowerTools/x86_64/os/ /repo/PowerTools

> sudo mkdir -pv /repo/extras
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/extras/x86_64/os/ /repo/extras

> sudo mkdir -pv /repo/Devel
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/Devel/x86_64/os/ /repo/Devel

3) Use genisoimage to create an ISO of the whole set. Note that in the command below, I write this ISO image to a VirtualBox shared folder mounted at /media/sf_vboxshare. Use any path you like as long as its big enough. The syntax is: genisoimage cli options – location and name of ISO file to be created and files/folders to be included in the ISO.

> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /media/sf_vboxshare/rocky8.6.repo.2022JUL29.iso /repo

4) Burn the ISO (as a file, not as an extracted image) to a Blu-ray, or copy to a USB drive and move it to the offline or air-gapped host. Since I have VMs, I will automount the ISO to the VM. If you need to mount the ISO on a host with a Blu-ray, USB drive, or from the local filesystem, the next three steps outline how to do it.

a) Mount the ISO. You have options if you don’t automount ISOs. If your host is a VM, mount it as your hypervisor dictates. You can copy the ISO to the local filesystem and mount it. Or, manually mount the ISO from a local or USB attached Blu-ray or USB drive.

b) If copied to the local file system:

> sudo mkdir /mnt/iso
> sudo mount -t iso9660 -o loop /home/repouser/rocky8.6.repo.2022JUL29.iso /mnt/iso/

c) If mounted via usb drive or if automount is not enabled:

> sudo mkdir /mnt/iso
> sudo blkid (to find your cd/dvd device, chances are its /dev/sr0)
> mount /dev/sr0 /mnt/iso/

d) Verify your mount. The “Mounted on” path is important because it is used below when you create the local.repo file.

> sudo df -h /dev/loop0
Filesystem Size Used Avail Use% Mounted on
/dev/loop0 19G 19G 0 100% /mnt/iso

> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 19G 19G 0 100% /mnt/iso

If automounted it could look like this:
> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 19G 19G 0 100% /run/media/root/CDROM

e) List the repos that will be used to create the local.repo file. Depending on how you mounted the ISO above (manual or automount), your /dev/sr0 mountpoint will be different. You simply need to adjust the baseurl path in local.repo in the next step.

> sudo ls -l /mnt/iso
or….
> sudo ls -l /run/media/repouser/CDROM

dr-xr-xr-x. 4 root root 2048 Jul 28 23:35 AppStream
dr-xr-xr-x. 7 root root 2048 Jul 28 23:30 BaseOS
dr-xr-xr-x. 4 root root 2048 Jul 28 23:14 Devel
dr-xr-xr-x. 4 root root 2048 Jul 28 23:13 extras
dr-xr-xr-x. 2 root root 2048 Jul 29 15:41 PowerTools

5) Create a repos archive folder if it doesn’t already exist. Move existing *.repo files to the archive folder for safe keeping and create the new local.repo file.

> sudo mkdir -pv /etc/yum.repos.d/archive
> cd /etc/yum.repos.d/
> sudo /bin/mv *.repo archive/
> cd /etc/yum.repos.d/
> sudo vi local.repo

Copy/paste everything below between the # Custom local.repo file # header and footer into the local.repo and wq! to save the file. Note the baseurl= file path. Edit this path based on how you mounted in step 4d above. Since I automounted the ISO, I used the ///run/media/root/CDROM/repo name/ path format.

If automounted, its baseurl=file:///run/media/root/CDROM/repo name/
If manually mounted, its baseurl=file:///mnt/iso/repo name/

# Custom local.repo file #
[appstream]
name=Rocky Linux $releasever – AppStream
baseurl=file:///run/media/root/CDROM/AppStream/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[baseos]
name=Rocky Linux $releasever – BaseOS
baseurl=file:///run/media/root/CDROM/BaseOS/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[devel]
name=Rocky Linux $releasever – Devel WARNING! FOR BUILDROOT AND KOJI USE
baseurl=file:///run/media/root/CDROM/Devel/
gpgcheck=1
enabled=0
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[extras]
name=Rocky Linux $releasever – Extras
baseurl=file:///run/media/root/CDROM/extras/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[powertools]
name=Rocky Linux $releasever – PowerTools
baseurl=file:///run/media/root/CDROM/PowerTools/
gpgcheck=1
enabled=0
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
# Custom local.repo file #

6) Update the host and reboot. If you get errors trying to run yum update due to gpg checks, just comment out gpgkey and change gpgcheck to 0 in the local.repo file, and then run yum update again. Or, you can download the keys here: https://rockylinux.org/keys/

a) Verify if you have the keys installed. The green key below is the one used in the gpgkey= path above in local.repo. If not installed, comment out gpgkey= and set gpgcheck to 0 in the local.repos file above or download the keys and copy to /etc/pki/rpm-gpg/.

> sudo gpg –quiet –show-keys /etc/pki/rpm-gpg/*
pub rsa4096 2009-10-22 [SC]
567E347AD0044ADE55BA8A5F199E2F91FD431D51
uid Red Hat, Inc. (release key 2) <security@redhat.com>

pub rsa4096 2021-02-14 [SCE]
7051C470A929F454CEBE37B715AF5DAC6D745A60
uid Release Engineering <infrastructure@rockylinux.org>

pub rsa4096 2021-02-14 [SCE]
091A44047C3D8B7A331F5E185489E42BBBE2C108
uid Release Engineering <infrastructure@rockylinux.org>

> yum update
> reboot

b) After reboot, eject the ISO.
> umount /dev/sr0

 

Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access

20 Saturday Nov 2021

Posted by Slice2 in Security, Splunk

≈ Leave a comment

Tags

Security, Splunk, Sysmon

When using Sysmon to monitor processes in Splunk, you can exclude the chattiest processes that eat away at your license and indexing I/O. Splunk recommends excluding its own Universal Forwarder as well as antivirus products.

1) Splunk’s Sysmon Add-on docs list a few options for the sysmon config file. I used the SwiftOnSecurity template and simply added the UF and McAfee executables.

Splunk Add-on for Sysmon Doc:
https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/ConfigureSysmon

Ready to run Sysmon config file:
https://github.com/SwiftOnSecurity/sysmon-config

Sysmon:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

2) Open your Sysmon xml config file with Notepad++ or VSCode. Use Notepad++ or VSCode when editing xml on Windows. They recognize UNIX newline format and XML syntax highlighting so your file will be easier to read. Don’t use Notepad.exe. Under the heading <!–SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]–> enter the text below and save the file.

3) When done editing, reload the active config.

> sysmon -c c:\path\to\your_sysmon_config_file_v2.xml

<!–SECTION: Splunk:Universal Forwarder–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image> <!–Splunk:Universal Forwarder: binary that accesses, processes, and indexes streaming data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\btool.exe</Image> <!–Splunk:Universal Forwarder: cli util used to troubleshoot config file issues–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image> <!–Splunk:Universal Forwarder: the control application for the Windows version of Splunk–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Image> <!–Splunk:Universal Forwarder: runs whenever you configure an Active Directory monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you monitor performance data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure Splunk to monitor network information–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Registry monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe</Image> <!–Splunk:Universal Forwarder: event log collections, outputs events as they are collected–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostmon</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows host monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows print monitoring input –>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a performance monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a PowerShell command or script monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image> <!–Splunk:Universal Forwarder: this input monitors files without using Windows file handles.–>
<!–SECTION: McAfee:AntiVirus–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\CommonBuild\McCBEntAndInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McPltCmd.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MQS\QcShm.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcupdate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\MSGSDK\msgrunner.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\TaskScheduler\McAMTaskAgent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdatemgr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\CSP\4.1.106.0\McCSPServiceHost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcinfo.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\MSM\McSmtFwk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\OOBE\mcocrollback.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\McInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdutl.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADUpdater.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\HackerWatch\hwupdchk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcsync.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\ChromiumContainer\delegate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCtr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCon.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MfeAV\MfeAVSvc.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\CoreUI\Launch.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcagent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>

HOWTO quickly STIG Firefox 59.01

24 Saturday Mar 2018

Posted by Slice2 in Security

≈ Leave a comment

Tags

Firefox, Security

The latest Firefox STIG leaves out important details and lists settings that no longer exist. It took a few hours to get this config file to work with settings that are actually still available in 59.01. For reference, see: http://kb.mozillazine.org/About:config

Note that I use Notepad++ on Windows to avoid formatting issues with notepad.exe. Do yourself a favor and download the latest at https://notepad-plus-plus.org/

1) Create a file named local-settings.js and add one line. Using Notepad++, you can save it as a proper JavaScript file (.js):
pref(“general.config.filename”,”mozilla.cfg”);

2) Place local-settings.js file in the following locations depending on whether you have x32 or x64 bit Firefox:

For x64 bit:
C:\Program Files\Mozilla Firefox\defaults\pref

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\defaults\pref

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt staring with //Firefox). Launch a browser (Chrome, IE, Opera) and browse to:

http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi

4) In the middle of the page, under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, and select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, and save the file when prompted.

5) Place the mozilla.cfg file into the root of the Firefox directory as show below.

For x64 bit:
C:\Program Files\Mozilla Firefox\

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\

6) Start Firefox. In the Location bar, enter about:config. Click I accept the risk. At the top of the page in the center, click Status to sort the status of the settings. All of the locked settings should be italicized with a status of locked.

Contents of mozilla.txt:

//Firefox settings that work from Mozilla_Firefox_V4R20 as of Firefox 59.01 March 2018
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“network.protocol-handler.external.shell”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.autofillForms.http”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.min”, 2);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“browser.search.update”, false);
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);

7) Click the link below for a copy of the files. The zip has a converted mozilla.cfg, the source mozilla.txt, local-settings.js and a README file.

Firefox_STIGv4R20

HOWTO quickly STIG Firefox 45.0.1

22 Tuesday Mar 2016

Posted by Slice2 in Security

≈ Leave a comment

Tags

Firefox, Security

This Firefox STIG leaves out important details. They could make it very simple to implement but they don’t.  For more, see: http://kb.mozillazine.org/About:config

1) Create a file called local-settings.js and add one line:
pref(“general.config.filename”,”mozilla.cfg”);

2) Place local-settings.js in:

c:\<firefox path>\defaults\pref folder.

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt).  Launch Firefox and browse to:
http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi

4) View the middle of the page. Under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, save the file when prompted and place it in c:\<firefox path>\Mozilla Firefox\.

Contents of mozilla.txt:

//Firefox Settings
lockPref(“security.tls.version.min”, 1);
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“network.protocol-handler.external.shell”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/ad,application/,application/adp”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“privacy.sanitize.sanitizeOnShutdown”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_status_change”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“browser.startup.homepage”, “about:home”);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“browser.search.update”, false);
// The end

Completing the vSphere vCenter Appliance Hardening Process

19 Saturday Mar 2016

Posted by Slice2 in Linux, Security, VMware

≈ Leave a comment

Tags

Linux, Security, vCenter, VMware

The vCenter Appliance is a SuSE Linux VM that ships fully hardened by VMware to the DoD STIG specifications. There are a few site specific settings you must perform to complete the hardening. This post provides the steps to complete the process.

1) Change the root password. Login to the appliance and as root, run:
> passwd
New password:
Retype new password:
Password changed.

> cat /etc/shadow | grep root
root:$6$(truncated)

If the root password starts with a $6$ hash, this confirms it is using a sha512 hash.

2) Set password expiry. Change the root expiry from 3 years to 1 year.
> passwd -x 365 root
Password expiry information changed.

3) Execute the Dodscript.sh script.
> cd /etc/
> ./dodscript.sh
Shutting down auditd                done
Starting auditd

4) You may be a company or site that has a custom banner. If so, edit (and verify) the banners to replace the DoD language with your own.
> vi /opt/vmware/etc/isv/welcometextDoD and paste in your banner.
> cat /opt/vmware/etc/isv/welcometextDoD > /etc/issue  (linked to issue.DoD)
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext.template

5) Configure secure shell, admin accounts, and console access on the appliance. Add a user account that can su to root:
> useradd -s /bin/bash -m -d /home/(your username) -g users -G wheel (your username)

> passwd <your username>
Changing password for (your username)
New password:
Retype new password:
Password changed.

> su – (your username) to verify.

a) Test ability to su to root and verify identity:
> su – root
Password:
Last login: Sat 19 12 12:51:26 UTC 2016 from PC on pts/1
Directory: /root
Tue Mar 19 13:18:33 UTC 2016

> whoami
root

b) Note: The step below isn’t included in the documentation but if you don’t do it you will be locked out.
> vi /etc/security/access.conf

At the end of the file change -:ALL:ALL to +:ALL:ALL

c) Test that the user you just created can login via SSH and su – root before you proceed. Use ssh cli, PuTTY, etc.
> ssh -v (your username)@(your vCenter appliance hostname or IP)
Once logged in:
> su – root

d) Disable direct root SSH access to the appliance.
> vi /etc/ssh/sshd_config

change PermitRootLogin yes to PermitRootLogin no

e) Restrict SSH to the local network of the appliance.
> vi /etc/hosts.allow and add the following:

sshd:127.0.0.1:ALLOW
sshd:[::1]:ALLOW
sshd:(the same network your appliance is on):ALLOW

f) Restart sshd to read the changes:

> service sshd restart
Shutting down SSH daemon                  done
Starting SSH daemon

g) Disable direct root console login on the appliance. This means you must first login as a user and su to root. After setting this, when you try to login on the appliance console as root, it should say login incorrect.
> vi /etc/securetty

Set the first two lines as follows:
#tty1
console

6) Verify time synchronization. Recall that NTP is configured when you first import and setup the appliance. As root, verify:

> service ntp status
remote           refid      st t when poll reach   delay   offset  jitter
=============================================
192.168.1.252    .LOCL.       1 u   37   64    1    1.145  459.906   0.001
192.168.1.252     192.168.1.253  2 u   36   64    1    1.273  464.924   0.001

Checking for network time protocol daemon (NTPD):    Running

7) Setup log forwarding with syslog-ng and auditd. Uncomment and edit the following lines to fit your remote syslog server IP address:
> vi /etc/syslog-ng/syslog-ng.conf

destination logserver { udp(“Syslog_svr_IP_Address” port(514));};
log {source(src); destination(logserver);};

a) Restart the service.
> service syslog restart
Shutting down syslog services               done
Starting syslog services

b) Send your audit data to syslog.
> vi /etc/audisp/plugins.d/syslog.conf

change active=no to active=yes

c) Restart auditd.
> service auditd restart
Shutting down auditd                         done
Starting auditd

d) Tune audit performance.
> vi /etc/audisp/audispd.conf

change the following to 1280 and 8
q_depth = 1280
priority_boost = 8

e) Control the number and rotation of log files.
> vi /etc/logrotate.d/syslog

change all entries for rotate 15 to rotate 7

> vi /etc/logrotate.d/audit

change all entries for rotate 15 to rotate 7

8) Set a boot loader or grub password.
> cat /boot/grub/menu.lst | grep password

password –md5 (a_long_hash_will_be_here)

a) Create a password for grub. This is how the sequence goes: you enter grub and run the md5crypt command to create a hashed password. Once you type in the password, the hash is presented. Copy the password hash. Run the quit command to return to the root shell.

> grub

grub> md5crypt

Password: (Enter your password here)
Encrypted: (a_long_hash_will_be_here)
grub> quit

b) Add the following to the third line of the file:
> vi /boot/grub/menu.lst

password –md5 (the password hash from above)

9) Configure NFS and NIS. If you are not using NFS or NIS, disabled the services. You probably aren’t using them.
> chkconfig ypbind off
> chkconfig nfs off
> chkconfig rpcbind off
> service ypbind stop
> service nfs stop
> service rpcbind stop

10) Reboot to refresh your system and seat all of the changes.
> reboot

Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.

01 Friday Jan 2016

Posted by Slice2 in Security, Splunk

≈ Leave a comment

Tags

Security, Splunk

Good luck. You will need it. Certificates are a major headache and complicated to implement. Using them with Splunk is no different. Splunk’s penchant for twiddling files all over the place makes this process time consuming an rife with error. This post will hopefully help you get it done. This covers encrypting the management console and forwarder traffic. This HOWTO is not for a clustered deployment although it could be adapted to serve that purpose. It was done on Windows 2012 R2 with a single Splunk Enterprise deployment (search head and indexer on the same server) and several forwarders. Use your own naming conventions and hosts for fqdn. Please don’t ask me questions on this post. I almost didn’t survive the process. I won’t have time to reply for a while anyway.

1) On the Splunk Search Head, set your environment.

> cd C:\Program Files\Splunk\bin
> splunk envvars > setsplunkenv.bat & setsplunkenv.bat
> setsplunkenv.bat

2) Create dir $SPLUNK_HOME\etc\auth\UScerts and cd into it.

> cd C:\Program Files\Splunk\etc\auth\UScerts

3) Create a root key.
> openssl genrsa -aes256 -out USCA_root.key 2048

4) Generate and sign the certificate.
> openssl req -new -key USCA_root.key -out USCA_root.csr

5) Generate the public certificate.
> openssl x509 -req -in USCA_root.csr -sha256 -signkey USCA_root.key -CAcreateserial -out USCA_root.pem -days 3650

6) Generate a key for your Web(search head)server certificate.
> openssl genrsa -aes256 -out me.fqdn.com.key 2048

7) Request and sign a new server certificate.
> openssl req -new -key me.fqdn.com.key -out me.fqdn.com.csr

8) Use the CSR me.fqdn.com.csr and your CA certificate and private key to generate a server certificate.
> openssl x509 -req -in me.fqdn.com.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out
me.fqdn.com.pem -days 730

9) Creating a (removing encryption from priv key) priv key without a passphrase. Required for webservers.
> openssl rsa -in me.fqdn.com.key -out me.fqdn.com_nopass.key

10) Create a combined cert file.
> type me.fqdn.com.pem me.fqdn.com_nopass.key USCA_root.pem > me.fqdn.com_nopass_use.pem

11) On the search head, edit the \etc\system\local\web.conf and add the following:
[settings]
enableSplunkWebSSL = 1
httpport = 8843
privKeyPath = etc\auth\UScerts\me.fqdn.com_nopass_use.pem
CaCertPath = etc\auth\UScerts\USCA_root.pem

Add to \etc\system\local\server.conf

enableSplunkdSSL = true
sslVersions = tls1.2
allowSslCompression = false
allowSslRenegotiation = false
cipherSuite = TLSv1+HIGH:@STRENGTH

12) Restart Splunk. Close your browser, relaunch and login to the console to verify (make sure to use the port defined above in web.conf; https://hostname or ip:8843).  If you scan with Nessus, Retina, etc., it should now be free from SSL errors.

Certs for Forwarders:

Create a SAN (subject alternative name) cert. Although not officially supported by Splunk when I originally wrote this, it does work.

1) Create a new folder in etc\auth\UScerts\SANcert.

2) Copy the openssl.cnf to the new folder.  C:\Program Files\Splunk\openssl.cnf to C:\Program Files\Splunk\etc\auth\UScerts\SANcert

> cd C:\Program Files\Splunk\etc\auth\UScerts\SANcert

3) In Windows 2012 R2 – Take ownership of the copied openssl.cnf file. Right-click > properties, and then add your user with Full Control to the file.

4) In Notepad or Wordpad, edit openssl.cnf. Wordpad is preferred.

a) Search (using the Find function in the upper right of Wordpad) and uncomment this line:
# req_extensions = v3_req # The extensions to add to a certificate request

b) Next, search for and modify this section to include the following if it does not already have it:
[ v3_req ] # Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAtlName = @alt_names

c) Create this section next, between [ v3_req ] and [ v3_ca ].
[alt_names]
DNS.1 = your.server.com
DNS.2 = your.next.server.com
DNS.3 = your.other.server.com
IP.1 = an IP address for a server
IP.2 = another IP address for a server
— note, add as many as you like. You will need one for each forwarder if you want to identify them individually.

5) Generate a new CSR.
openssl req -new -key me.fqdn.com.key -out me.fqdn.com_SAN.csr -config “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

Make sure you use: *.your.fqdn for Common name question. This is the wildcard for your domain, such as *.yourdomain.com

6) Check text of cert csr. You should see the items in the alt_names from above.
> openssl req -text -noout -in me.fqdn.com_SAN.csr

7) Create a cert.
> openssl x509 -req -in me.fqdn.com_SAN.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out me.fqdn.com_SAN.pem -extensions v3_req -days 730 -extfile “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

8) On the Indexer, edit \etc\system\local\inputs.conf and add the following and restart Splunk.

[SSL]
rootCA = etc\auth\UScerts\USCA_root.pem
servercert = etc\auth\UScerts\me.fqdn.com_SAN.pem
password = your_password
cipherSuite = TLSv1+HIGH:@STRENGTH

[splunktcp-ssl:9997]
compressed = false

9) Now restart splunk:
$SPLUNK_HOME\bin\splunk restart splunkd

10) Configure your Forwarders to use the certificates. Use your Deployment Server to distribute the certs and modified outputs.conf to your forwarders.

a) On the Search head that is acting as your deployment server, edit the outputs.conf file in etc\deployment-apps\<your name for SendToIndexer>\local\ with the following.

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = your.ip.:9997
compressed = false
sslRootCAPath = etc\apps\<your name for SendToIndexer>\USCA_root.pem
sslCertPath = etc\apps\<your name for SendToIndexer>\me.fqdn.com_SAN.pem
sslPassword = <your password>
sslVerifyServerCert = true

b) Copy the etc\auth\UScerts\USCA_root.pem and etc\auth\UScerts\me.fqdn.com_SAN.pem files to the etc\deployment-apps\<your name for SendToIndexer>\local folder on your deployment server and they will be copied to each Forwarder for you.

11) Restart Splunk.
$SPLUNK_HOME\bin\splunk restart splunkd

12) Done. I hope.

HOWTO enable SSH on a Cisco ASA running 9.1.x

14 Saturday Nov 2015

Posted by Slice2 in Cisco

≈ Leave a comment

Tags

Security

# conf t
(config)# enable password <your password> encrypted

(config)# username <your username> password <your password> encrypted privilege 15

(config)# aaa authentication ssh console LOCAL

(config)# ssh <ip address> <netmask> inside

(config)# crypto key gen rsa gen mod 2048

(config)# ssh timeout 30

(config)# ssh version 2

Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server

18 Saturday Jul 2015

Posted by Slice2 in Security, Windows

≈ Leave a comment

Tags

Security, Windows

This post demonstrates how to apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server that is not in the domain. For this example, I’ll use the Internet Explorer 11 (IE11) lock downs I applied using a domain GPO.

This process also worked when I applied the 2012 R2 IE policy to a standalone Windows 7 Enterprise workstation.

1) Launch Group Policy Management on the Domain Controller. Browse to the policy you want to apply to the standalone servers (in my case IE11), right-click it and select Backup. Save it to a location of your choice and give it a description, such as IE11 GPO.

2) Download and install Microsoft SCM 3.0 (not on your domain controller). I just built a VM since SCM is only needed temporarily. I was only able to get it fully installed without errors on Windows 2008 R2. It supposedly supports Vista through 2012. I opted to install the bundled SQL Express since all I want is the LocalGPO executable. No need to point to a SQL server. You can uninstall the whole thing when done. The only reason to install the full package is so you can get a copy of the LocalGPO folder. Download it from:

Security Compliance Manager (SCM) Info:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Download page:
https://www.microsoft.com/en-us/download/details.aspx?id=16776

a) When done downloading, double-click the Security_Compliance_Manager_Setup.exe > click Run > deselect Always check for SCM baseline updates (you don’t care about them right now) and click Next > accept the license and click Next > Next > Next > accept the SQL Express license and click Next > Install > Finish. The app will auto-load the baselines. Just let it finish.

b) When done installing, browse to C:\Program Files (x86)\Microsoft Security Compliance Manager. Copy the LocalGPO folder to a location of your choice. You will need to install the executable in this folder on each standalone server that will receive the Domain GPO.

5) Login as a local admin on the server to receive the GPO. Install LocalGPO on your standalone server. When done, browse to the C:\Program Files (x86)\LocalGPO folder, right-click LocalGPO.wsf, select Properties, select the Security tab and give your admin user full control of the file.

6) Create a folder on this server called c:\gpos. Copy your IE11 GPO backup folder into the c:\gpos folder.

7) Edit the LocalGPO.wsf file to recognize 2012 R2 (Windows 2012 R2 is version 6.3). Open C:\Program Files (x86)\LocalGPO\LocalGPO.wsf in notepad (right-click > Edit). Search for 6.2. On the first instance of 6.2, change it to 6.3.

From this: If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To this: If(Left(strOpVer,3) = “6.3“) and (strProductType <> “1”) then

8) The Windows Firewall must be running temporarily before you run this tool. Even though you may have disabled the firewall and use a third-party product like McAfee Firewall, etc., turn on the native Windows firewall in the services.msc applet now.

9) Click start (lower left corner), and then Search icon in the upper right. Enter LocalGPO. Right-click LocalGPO Command line and select Run as Administrator. Before you run the next command, close all Windows except the cmd prompt.

Enter this command:

> cscript localgpo.wsf /path:”C:\gpos\{A81C84F4-F8F5-4E8A-B077-9EA1471B3886}”

– note: your IE11 GPO backup folder name inside c:\gpos will be different. Just add your folder name in the command above.

You should see Applied valid Machine POL and Applied valid User POL. No valid audit or INF is OK.

10) Clean up after yourself. Uninstall LocalGPO if you don’t plan to use it again. Delete the gpo backup in c:\gpos.

You can run > gpupdate /force or reboot the server to apply the policy completely.

11 Verify that it applied the policy. Launch IE11 and verify your settings are locked down. Note that on a fresh system, you  may have to launch IE and then immediately close it. Launch it again and the lock downs will be set. Sometimes it takes two startups for the settings to apply. Not sure why. If you had the Windows firewall turned off, open services.msc and disable it.

Enable legacy SSL and Java SSL support in your browser for those old, crusty websites

08 Monday Jun 2015

Posted by Slice2 in Security

≈ Leave a comment

Tags

Firefox, Security

This is a quick post to show you how to enable legacy SSL and Java SSL support in your browser for those old, crusty websites and applications you have in your organization. Note that this should not be done on Internet facing systems. Only offline or systems that are not routed to the Internet should implement these changes.

1) Launch Firefox. Type about:config in the location bar.
2) In the search bar that comes up, enter: security.tls.version.min. Double-click on the entry that appears and change the value to 0.
3) Do the same for security.tls.version.fallback-limit.
4) Try to connect to your site. It should now work for you.

Enable SSL in Java (it has been disabled for a few rev’s now)
1) Open Windows explorer and browse to either (or both if you have x32/x64 bit Java installed):

C:\Program Files (x86)\Java\jre1.8.0_45\lib\security
C:\Program Files\Java\jre1.8.0_45\lib\security

2) Double-click the file named java.security. You will be prompted to select a program to open the file. Choose select a program from a list of installed programs and click OK. Choose either Wordpad or notepad.

3) Scroll down to the bottom of the file. You should see:
jdk.tls.disabledAlgorithms=SSLv3

4) Change this by back-spacing over SSLv3 and save the file so it looks like:
jdk.tls.disabledAlgorithms=

You should now be able to access legacy sites with Java SSL support.

← Older posts

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Recent Posts

  • Patch Alma Linux 8.7 on an Offline or Air-Gapped System
  • HOWTO Remove /home logical volume and add that space to the root partition
  • Patch Rocky Linux 8.6 on an Offline or Air-Gapped System
  • HOWTO Install the Splunk Universal Forwarder on FreeBSD
  • HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar
  • HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar
  • Recover Files from a Windows NTFS partition using Linux based SystemRescue
  • Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access
  • Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System
  • HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04
  • Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates
  • Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04
  • Dynamically Resize Those Tiny BlackArch Linux Terminals and Add a Scrollbar
  • Kali Linux OVA for Air-Gapped Use Build Process
  • HOWTO install the XFCE 4 Desktop on NetBSD 8.1
  • Build a Kali Linux ISO with the latest OS patches and packages
  • HOWTO quickly STIG Firefox 59.01
  • HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled
  • Howto safely delete the WSUS WID on Windows 2012R2
  • HOWTO quickly STIG Firefox 45.0.1
  • Completing the vSphere vCenter Appliance Hardening Process
  • HOWTO install the XFCE 4.12 Desktop on NetBSD 7
  • Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.
  • HOWTO enable SSH on a Cisco ASA running 9.1.x
  • Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server
  • Enable legacy SSL and Java SSL support in your browser for those old, crusty websites
  • HOWTO update FreeBSD 10.1 to the latest 11-current release
  • HOWTO Secure iSCSI Luns Between FreeBSD 10.1 and NetApp Storage with Mutual CHAP
  • HOWTO install the XFCE 4 Desktop on NetBSD 6.1.5
  • HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

Categories

  • Cisco (2)
  • ESXi (4)
  • FreeBSD (2)
  • HP (5)
  • iSCSI (12)
  • Linux (31)
  • Nessus (3)
  • NetApp (31)
  • NetBSD (10)
  • Oracle (9)
  • Security (48)
  • Solaris (9)
  • Splunk (5)
  • VMware (19)
  • Windows (20)
  • Wireshark (4)
  • XFCE (3)

Archives

  • February 2023
  • August 2022
  • July 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • January 2021
  • December 2020
  • November 2020
  • August 2020
  • May 2020
  • September 2019
  • August 2019
  • March 2018
  • November 2016
  • March 2016
  • January 2016
  • November 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013

Blogroll

  • Adobe Security Bulletins
  • CentOS Blog
  • Cisco Security Blog
  • CSO Magazine
  • DHS National Vulnerability Database
  • Eric Sloof's NTPRO
  • HT SSL Tests
  • Intel Corp Security Advisories
  • Internet Usage World Stats
  • Kali Linux Blog
  • Linux Mint Blog
  • Meltdown and Spectre
  • Microsoft Security Blog
  • Microsoft Security Intelligence Report
  • Microsoft Security Research & Defense
  • Microsoft Security Response Center
  • MITRE CVE Site
  • NetApp Blogs
  • NetBSD Blog
  • Oracle OTN Security
  • Oracle Security Blog
  • PacketStorm
  • Redhat Security Blog
  • SC Magazine
  • Shodan Search Engine
  • US-CERT Alerts
  • US-CERT Bulletins
  • US-CERT Vulnerability Notes KB
  • VMware Blogs
  • VMware Security Advisories

Category Cloud

Cisco ESXi FreeBSD HP iSCSI Linux Nessus NetApp NetBSD Oracle Security Solaris Splunk VMware Windows Wireshark XFCE

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 38 other subscribers

Powered by WordPress.com.

 

Loading Comments...