[Spacewalk-list] Spacewalk-list Digest, Vol 123, Issue 37
suhail.siddiqui at visitor.upm.com
suhail.siddiqui at visitor.upm.com
Wed Aug 15 13:45:47 UTC 2018
Hi ,
I tried this command but end with syntex error.
$> spacecmd softwarechannel_regenerateyumcache <channel-label>
I think this option not available with this spacecmd "softwarechannel_regenerateyumcache"
Best Regards,
Suhail Siddiqui
________________________________
From: spacewalk-list-request at redhat.com
Sent: Wednesday, August 15, 2018 5:26 PM
To: spacewalk-list at redhat.com
Subject: Spacewalk-list Digest, Vol 123, Issue 37
Send Spacewalk-list mailing list submissions to
spacewalk-list at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0
or, via email, send a message with subject or body 'help' to
spacewalk-list-request at redhat.com
You can reach the person managing the list at
spacewalk-list-owner at redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Spacewalk-list digest..."
Today's Topics:
1. Re: Spacewalk-list Digest, Vol 123, Issue 36
(suhail.siddiqui at visitor.upm.com)
2. Re: only SUSE 11 SP4 update pkg push from spacewalk not
worked (Michael Calmer)
3. Kickstart Templates - Import Error (Raymond Setchfield)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Aug 2018 11:38:25 +0000
From: <suhail.siddiqui at visitor.upm.com>
To: <spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk-list Digest, Vol 123, Issue 36
Message-ID:
<71d8cffcd5454ddda5d0237a6daef033 at AM3PR3701MB0036.054d.mgd.msft.net>
Content-Type: text/plain; charset="us-ascii"
Yes , I have checked that but didn't work , also when I run zipper dup , it is showing so many updated and when I installed updated using dup , and reboot the servers nothing change and every update still available as it is .
Also when I used different repository from SMT server and run zipper update its show all available and update install and working.
Best Regards,
Suhail Siddiqui
-----Original Message-----
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> On Behalf Of spacewalk-list-request at redhat.com
Sent: 15 August 2018 14:09
To: spacewalk-list at redhat.com
Subject: Spacewalk-list Digest, Vol 123, Issue 36
Send Spacewalk-list mailing list submissions to
spacewalk-list at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0
or, via email, send a message with subject or body 'help' to
spacewalk-list-request at redhat.com
You can reach the person managing the list at
spacewalk-list-owner at redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Spacewalk-list digest..."
Today's Topics:
1. only SUSE 11 SP4 update pkg push from spacewalknot worked
(suhail.siddiqui at visitor.upm.com)
2. Re: only SUSE 11 SP4 update pkg push from spacewalknot
worked (Flores, Javier (D4\INF\IT ID))
3. Autoaccpet GPG Key (Joaquin Henriquez)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Aug 2018 10:03:09 +0000
From: <suhail.siddiqui at visitor.upm.com>
To: <spacewalk-list at redhat.com>
Subject: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalknot worked
Message-ID:
<a3d49183d79f47cf8bfd5611b7ae7272 at HE1PR3701MB0043.054d.mgd.msft.net>
Content-Type: text/plain; charset="us-ascii"
Hi ,
Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to client its failed with not found , when I run zipper update on client its says no update available , however in spacewalk wen console its showing all critical and bug fix available.
Please help me to fix this , I already remove the cache from spacewalk server for this repository and tried everything but it didn't worked.
Thanks
Suhail Siddiqui
________________________________
Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2Fc63a9039%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=GehGwu3ohEMMKI1JbspTIeO%2BW047CvYOlvPSU%2FZMbAo%3D&reserved=0>
------------------------------
Message: 2
Date: Wed, 15 Aug 2018 10:33:56 +0000
From: "Flores, Javier (D4\\INF\\IT ID)" <Javier.Flores at gmz.migros.ch>
To: "'spacewalk-list at redhat.com'" <spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalknot worked
Message-ID:
<49EC69E1C8CBC144A57BFC099D35EB01C7D48DF7 at hnexm01b.datacenter-migros.ch>
Content-Type: text/plain; charset="us-ascii"
Hi,
Have you already tried deleting the local caches (zypper clean -a) on your sles11sp4 server?
Regards,
Javier
Von: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] Im Auftrag von suhail.siddiqui at visitor.upm.com
Gesendet: Mittwoch, 15. August 2018 12:03
An: spacewalk-list at redhat.com
Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not worked
Hi ,
Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to client its failed with not found , when I run zipper update on client its says no update available , however in spacewalk wen console its showing all critical and bug fix available.
Please help me to fix this , I already remove the cache from spacewalk server for this repository and tried everything but it didn't worked.
Thanks
Suhail Siddiqui
________________________________
Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F6815a87f%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=JyE%2FNJs1VavTlmsZjJtyKcktqBnL4dAUMdijSwdQpjA%3D&reserved=0>
------------------------------
Message: 3
Date: Wed, 15 Aug 2018 11:08:25 +0000
From: Joaquin Henriquez <joaquin.henriquez at countercept.com>
To: "spacewalk-list at redhat.com" <spacewalk-list at redhat.com>
Subject: [Spacewalk-list] Autoaccpet GPG Key
Message-ID:
<43d78a66e0934b57aa51396a44190467 at BSKEXCH2013HYPV.mwrinfosecurity.com>
Content-Type: text/plain; charset="windows-1252"
Hi Guys
When configuring the GPG of the channel I put the file:///etc/pki/rpm/GPG-KEY<file:///\\etc\pki\rpm\GPG-KEY>, KEY-ID and Fingerprint.
When updating a client it take the file form that path.
ERROR:
Error while executing packages action: Refusing to automatically import keys when running unattended. [[6]]
That means I need to get confirmation for the GPG Key. Is there a way to auto-accept?
Total size: 480 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/elasticseach_curator_4/packages/python-setuptools-27.3.0-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/GPG-KEY-elasticsearch
Importing GPG key 0xD88E42B4:
Userid : "Elasticsearch (Elasticsearch Signing Key) <dev_ops at elasticsearch.org>"
Fingerprint: 4609 5acc 8548 582c 1a26 99a9 d27d 666c d88e 42b4
>From : /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
Is this ok [y/N]:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F53a8819a%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=Om%2FNVb4EuNFFQeuWgirYh3pmTFB5wOlP1btFbz9cHU4%3D&reserved=0>
------------------------------
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0
End of Spacewalk-list Digest, Vol 123, Issue 36
***********************************************
________________________________
Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
------------------------------
Message: 2
Date: Wed, 15 Aug 2018 13:39:50 +0200
From: Michael Calmer <mc at suse.de>
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalk not worked
Message-ID: <1761334.fggyKL0tM1 at lesch>
Content-Type: text/plain; charset="iso-8859-1"
Hi
might also happen when spacewalk do not re-generate the metadata.
Look for /var/cache/rhn/repodata/<channel-label>/ and remove all files.
After this trigger a re-generation maybe with
$> spacecmd softwarechannel_regenerateyumcache <channel-label>
wait until the generation is finished (no .new files in the cache dir) and try again.
Am Mittwoch, 15. August 2018, 12:33:56 CEST schrieb Flores, Javier (D4\INF\IT ID):
> Hi,
>
> Have you already tried deleting the local caches (zypper clean -a) on your sles11sp4 server?
>
> Regards,
> Javier
>
> Von: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] Im Auftrag von suhail.siddiqui at visitor.upm.com
> Gesendet: Mittwoch, 15. August 2018 12:03
> An: spacewalk-list at redhat.com
> Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not worked
>
> Hi ,
>
> Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to client its failed with not found , when I run zipper update on client its says no update available , however in spacewalk wen console its showing all critical and bug fix available.
>
> Please help me to fix this , I already remove the cache from spacewalk server for this repository and tried everything but it didn't worked.
>
>
> Thanks
> Suhail Siddiqui
>
>
> ________________________________
> Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
--
Regards
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE Linux GmbH, GF: Felix Imend?rffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N?rnberg)
------------------------------
Message: 3
Date: Wed, 15 Aug 2018 12:55:47 +0100
From: Raymond Setchfield <raymond.setchfield at gmail.com>
To: spacewalk-list at redhat.com
Subject: [Spacewalk-list] Kickstart Templates - Import Error
Message-ID:
<CAPZeFq5HrBXXZwAJXJdVLWt1R8ZjkbBgp74LUctVBYm3WaotHA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi
Still having difficulties with the kickstart template which I am importing.
I have received the following error;
# *** ERROR ***
#
# There is a templating error preventing this file from rendering
correctly.
#
# This is most likely not due to a bug in Cobbler and is something you can
fix.
#
# Look at the message below to see what things are causing problems.
#
# (1) Does the template file reference a $variable that is not defined?
# (2) is there a formatting error in a Cheetah directive?
# (3) Should dollar signs ($) be escaped that are not being escaped?
#
# Try fixing the problem and then investigate to see if this message goes
# away or changes.
#
#
# invalid syntax (<string>, line 1)
# File "/usr/lib/python2.7/site-packages/cobbler/templar.py", line 142,
in render
# data_out = t.respond()
#
# File
"cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line
559, in respond
#
# File
"cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line
91, in __errorCatcher4
#
I have attached the kickstart which I am attempting to import. Any help
would be greatly appreciated
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F28c1e81c%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=1aq0EGtcbay3lJ30k7ys8MGur19CnTBONDBPMZFitR0%3D&reserved=0>
-------------- next part --------------
# Kickstart Template Based on CIS (Centre for Internet Security)
# This kickstart conforms to the stardard on benchmark version 2.1.1
# Raymond Setchfield
# Date 13/08/18
#
install
lang en_GB.UTF-8
keyboard --vckeymap=uk --xlayouts='uk'
timezone Europe/London --isUtc
auth --useshadow --passalgo=sha512 # CIS 5.3.4
firewall --enabled
services --enabled=NetworkManager,sshd
eula --agreed
ignoredisk --only-use=sda
reboot
bootloader --location=mbr --append=" crashkernel=auto"
zerombr
clearpart --all --initlabel
part swap --asprimary --fstype="swap" --recommended
part /boot --fstype xfs --size=1024
part pv.01 --size=1 --grow
volgroup vg_root pv.01
logvol / --fstype xfs --name=root --vgname=vg_root --size=5120 --grow
# CIS 1.1.2-1.1.5
logvol /tmp --vgname vg_root --name tmp --size=500 --fsoptions="nodev,nosuid,noexec"
# CIS 1.1.11
logvol /var/log --vgname vg_root --name log --size=1024
# CIS 1.1.12
logvol /var/log/audit --vgname vg_root --name audit --size=1024
# CIS 1.1.13-1.1.14
logvol /home --vgname vg_root --name home --size=1024 --fsoptions="nodev"
rootpw yourpasswordhere
cdrom
%packages --ignoremissing
@core
aide # CIS 1.3.1
tcp_wrappers # CIS 3.4
rsyslog # CIS 4.2.1
#cronie-anacron
-setroubleshoot # CIS 1.6.1.4
-mcstrans # CIS 1.6.1.5
-telnet # CIS 2.3.4
-rsh-server # CIS 2.2.17
-rsh # CIS 2.3.2
-ypbind # CIS 2.1.1
-ypserv # CIS 2.2.16
-tftp # CIS 2.1.7
-tftp-server # CIS 2.2.20
-talk # CIS 2.3.3
-talk-server # CIS 2.2.18
-xinetd # CIS 2.1.7
-xorg-x11-server-common # CIS 2.2.2
-avahi-daemon # CIS 2.2.3
-cups # CIS 2.2.4
-dhcp # CIS 2.2.5
-openldap # CIS 2.2.6
%end
%post --log=/root/postinstall.log
###############################################################################
# /etc/fstab
# CIS 1.1.6 + 1.1.15-1.1.17
cat << EOF >> /etc/fstab
/tmp /var/tmp none bind 0 0
none /dev/shm tmpfs nosuid,nodev,noexec 0 0
EOF
###############################################################################
# Disable mounting of unneeded filesystems CIS 1.1.1 and CIS 3.5
cat << EOF >> /etc/modprobe.d/CIS.conf
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
EOF
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release # CIS 1.2.3
systemctl enable firewalld # CIS 3.6
systemctl enable rsyslog # CIS 4.2.1.1
systemctl enable auditd # CIS 4.1.2
systemctl enable crond # CIS 5.1.1
# Set bootloader password # CIS 1.5.3
# qwe123#@!
cat << EOF2 >> /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
set superusers="bootuser"
password_pbkdf2 bootuser grub.pbkdf2.sha512.10000.44D91DCFB72B53F27C58A4EAEBF29A210CB57469FB5CAA8935585856232A6CE70A2B58CE8BBAF7A9618848836F1793EC575AD1BF5959472D3AA5ECB6A05C92D2.89E0A18B9AB9080642209EAC8FC69CB988062579B68C27A16281900FFC79CE60AE1155409F78DDCFC92C40FF87A7C2F5A80899515B5CF9D15044E34658CBBD6B
EOF
EOF2
sed -i s/'^GRUB_CMDLINE_LINUX="'/'GRUB_CMDLINE_LINUX="audit=1 '/ /etc/default/grub # CIS 4.1.3
grub_cfg='/boot/grub2/grub.cfg'
grub2-mkconfig -o ${grub_cfg}
# Restrict Core Dumps # CIS 1.5.1
echo \* hard core 0 >> /etc/security/limits.conf
cat << EOF >> /etc/sysctl.conf
fs.suid_dumpable = 0 # CIS 1.5.1
kernel.randomize_va_space = 2 # CIS 1.5.3
net.ipv4.ip_forward = 0 # CIS 3.1.1
net.ipv4.conf.all.send_redirects = 0 # CIS 3.1.2
net.ipv4.conf.default.send_redirects = 0 # CIS 3.1.2
net.ipv4.conf.all.accept_source_route = 0 # CIS 3.2.1
net.ipv4.conf.default.accept_source_route = 0 # CIS 3.2.1
net.ipv4.conf.all.accept_redirects = 0 # CIS 3.2.2
net.ipv4.conf.default.accept_redirects = 0 # CIS 3.2.2
net.ipv4.conf.all.secure_redirects = 0 # CIS 23.2.3
net.ipv4.conf.default.secure_redirects = 0 # CIS 3.2.3
net.ipv4.conf.all.log_martians = 1 # CIS 3.2.4
net.ipv4.conf.default.log_martians = 1 # CIS 3.2.4
net.ipv4.icmp_echo_ignore_broadcasts = 1 # CIS 3.2.5
net.ipv4.icmp_ignore_bogus_error_responses = 1 # CIS 3.2.6
net.ipv4.conf.all.rp_filter = 1 # CIS 3.2.7
net.ipv4.conf.default.rp_filter = 1 # CIS 3.2.7
net.ipv4.tcp_syncookies = 1 # CIS 3.2.8
net.ipv6.conf.all.accept_ra = 0 # CIS 3.3.1
net.ipv6.conf.default.accept_ra = 0 # CIS 3.3.1
net.ipv6.conf.all.accept_redirect = 0 # CIS 3.3.2
net.ipv6.conf.default.accept_redirect = 0 # CIS 3.3.2
net.ipv6.conf.all.disable_ipv6 = 1 # CIS 3.3.3
EOF
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network
echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.d/ipv6.conf
cd /usr/lib/systemd/system
rm default.target
ln -s multi-user.target default.target
echo "ALL: ALL" >> /etc/hosts.deny # CIS 3.4.3
chown root:root /etc/hosts.deny # CIS 3.4.5
chmod 644 /etc/hosts.deny # CIS 3.4.5
chown root:root /etc/rsyslog.conf
chmod 600 /etc/rsyslog.conf
# CIS 4.2.1.2 - 4.2.1.3 Configure /etc/rsyslog.conf - This is environment specific
cat << EOF >> /etc/rsyslog.conf
auth,user.* /var/log/user
kern.* /var/log/kern.log
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log
EOF
touch /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log
chmod og-rwx /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log
chown root:root /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log
# CIS 4.2.1.4 - 4.2.1.5 Configure rsyslog to Send Log to a Remote Log Host - This is environment specific
auditd_conf='/etc/audit/auditd.conf'
# CIS 4.1.1.1 Configure Audit Log Storage Size
sed -i 's/^max_log_file .*$/max_log_file = 1024/' ${auditd_conf}
# CIS 4.1.1.2 Disable system on Audit Log Full - This is VERY environment specific (and likely controversial)
sed -i 's/^space_left_action.*$/space_left_action = email/' ${auditd_conf}
sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' ${auditd_conf}
sed -i 's/^admin_space_left_action.*$/admin_space_left_action = halt/' ${auditd_conf}
# CIS 4.1.1.3 Keep All Auditing Information
sed -i 's/^max_log_file_action.*$/max_log_file_action = keep_logs/' ${auditd_conf}
# CIS 5.1.2-5.1.7
chown root:root /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d
chmod 600 /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d
# CIS 5.1.8
[[ -w /etc/at.deny ]] && rm /etc/at.deny
[[ -w /etc/cron.deny ]] && rm /etc/cron.deny
touch /etc/at.allow /etc/cron.allow
chown root:root /etc/at.allow /etc/cron.allow
chmod 600 /etc/at.allow /etc/cron.allow
# CIS 4.1.4 - 4.1.18
cat << EOF >> /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-e 2
EOF
sed -i "1 i /var/log/boot.log" /etc/logrotate.d/syslog # CIS 4.3
sshd_config='/etc/ssh/sshd_config'
chown root:root ${sshd_config} # CIS 5.2.1
chmod 600 ${sshd_config} # CIS 5.2.1
sed -i 's/\#Protocol/Protocol/' ${sshd_config} # CIS 5.2.2
sed -i 's/\#LogLevel/LogLevel/' ${sshd_config} # CIS 5.2.3
sed -i 's/X11Forwarding yes/X11Forwarding no/' ${sshd_config} # CIS 5.2.4
sed -i 's/\#MaxAuthTries 6/MaxAuthTries 4/' ${sshd_config} # CIS 5.2.5
sed -i 's/\#IgnoreRhosts yes/IgnoreRhosts yes/' ${sshd_config} # CIS 5.2.6
sed -i 's/\#HostbasedAuthentication no/HostbasedAuthentication no/' ${sshd_config} # CIS 5.2.7
sed -i 's/\#PermitRootLogin yes/PermitRootLogin no/' ${sshd_config} # CIS 5.2.8
sed -i 's/\#PermitEmptyPasswords no/PermitEmptyPasswords no/' ${sshd_config} # CIS 5.2.9
sed -i 's/\#PermitUserEnvironment no/PermitUserEnvironment no/' ${sshd_config} # CIS 5.2.10
line_num=$(grep -n "^\# Ciphers and keying" /etc/ssh/sshd_config | cut -d: -f1)
sed -i '${line_num} a MACs hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' ${sshd_config} # CIS 5.2.12
sed -i '${line_num} a Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_config # CIS 5.2.11
sed -i 's/\#ClientAliveInterval 0/ClientAliveInterval 300/' ${sshd_config} # CIS 5.2.13
sed -i 's/\#ClientAliveCountMax 3/ClientAliveCountMax 0/' ${sshd_config} # CIS 5.2.13
sed -i 's/\#LoginGraceTime 2m/LoginGraceTime 60/' ${sshd_config} # CIS 5.2.14
sed -i 's/\#Banner none/Banner \/etc\/issue\.net/' ${sshd_config} # CIS 5.2.16
# CIS 5.3.1
pwqual='/etc/security/pwquality.conf'
sed -i 's/^# minlen =.*$/minlen = 14/' ${pwqual}
sed -i 's/^# dcredit =.*$/dcredit = -1/' ${pwqual}
sed -i 's/^# ucredit =.*$/ucredit = -1/' ${pwqual}
sed -i 's/^# ocredit =.*$/ocredit = -1/' ${pwqual}
sed -i 's/^# lcredit =.*$/lcredit = -1/' ${pwqual}
# CIS 5.3.2
content="$(egrep -v "^#|^auth" /etc/pam.d/password-auth)"
echo -e "auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth required pam_deny.so\n$content" > /etc/pam.d/password-auth
content="$(egrep -v "^#|^auth" /etc/pam.d/system-auth)"
echo -e "auth required pam_env.so
auth sufficient pam_unix.so remember=5
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth required pam_deny.so\n$content" > /etc/pam.d/system-auth
# CIS 5.3.3
line_num="$(grep -n "^password[[:space:]]*sufficient[[:space:]]*pam_unix.so*" /etc/pam.d/system-auth | cut -d: -f1)"
sed -n "$line_num p" system-auth | grep remember || sed "${line_num} s/$/ remember=5/" /etc/pam.d/system-auth
login_defs=/etc/login.defs
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' ${login_defs} # CIS 5.4.1.1
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/' ${login_defs} # CIS 5.4.1.2
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/' ${login_defs} # CIS 5.4.1.3
root_gid="$(id -g root)"
if [[ "${root_gid}" -ne 0 ]] ; then
usermod -g 0 root # CIS 5.4.3
fi
# CIS 5.4.4
bashrc='/etc/bashrc'
#first umask cmd sets it for users, second umask cmd sets it for system reserved uids
#we want to alter the first one
line_num=$(grep -n "^[[:space:]]*umask" '/etc/bashrc' | head -1 | cut -d: -f1)
sed -i ${line_num}s/002/027/ '/etc/bashrc'
bashprofile='/etc/profile'
line_num=$(grep -n "^[[:space:]]*umask" '/etc/profile' | head -1 | cut -d: -f1)
sed -i ${line_num}s/002/027/ '/etc/profile'
# CIS 5.5
cp /etc/securetty /etc/securetty.orig
#> /etc/securetty
cat << EOF > /etc/securetty
console
tty1
EOF
# CIS 5.6
pam_su='/etc/pam.d/su'
line_num="$(grep -n "^\#auth[[:space:]]*required[[:space:]]*pam_wheel.so[[:space:]]*use_uid" '/etc/pam.d/su' | cut -d: -f1)"
sed -i "${line_num} a auth required pam_wheel.so use_uid" '/etc/pam.d/su'
usermod -G wheel root
[[ -w /etc/issue ]] && rm /etc/issue
[[ -w /etc/issue.net ]] && rm /etc/issue.net
touch /etc/issue /etc/issue.net
chown root:root /etc/issue /etc/issue.net
chmod 644 /etc/issue /etc/issue.net
chown root:root ${grub_cfg} # CIS 1.4.1
chmod 600 ${grub_cfg}
chmod 644 /etc/passwd # CIS 6.1.2
chown root:root /etc/passwd
chmod 000 /etc/shadow # CIS 6.1.3
chown root:root /etc/shadow
chmod 644 /etc/group # CIS 6.1.4
chown root:root /etc/group
chmod 000 /etc/gshadow # CIS 6.1.5
chown root:root /etc/gshadow
# Install AIDE # CIS 1.3.2
echo "0 5 * * * /usr/sbin/aide --check" >> /var/spool/cron/root
#Initialise last so it doesn't pick up changes made by the post-install of the KS
/usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
%end
------------------------------
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0
End of Spacewalk-list Digest, Vol 123, Issue 37
***********************************************
________________________________
Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180815/ddafcfe8/attachment.htm>
More information about the Spacewalk-list
mailing list