-
Pavel Jirásek authoredPavel Jirásek authored
openvas-ins.md 8.19 KiB
Prepare
IB dekonfigurace
Nalezneme PORTGUID pro srv1 a následně jej vypneme přes ibportstate disable.
ibview - Infiniband diagnostic tool:
-------------------------------------------------------------------------------------------------
PORT | INTP | PORTGUID/NODEGUID | WIDTH | SPEED || HOSTNAME | TYPE | SLOT | ASIC | PORT | INTP | DESCRIPTION | LOCATION | PORTGUID | NODEGUID | LID |
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@mgmt1 ~]# ibview monitor --topo | grep srv1
17 | 17 | 0x0002c90200472778 | 4X | QDR || srv1 | hca | 1 | | 1 | 1 | srv1 HCA-1 | [1200,1200] RACK_2-0/Z | 0x0002c903002b9517 | 0x0002c903002b9516 | 34 |
[root@mgmt1 ~]# ibportstate -G 0x0002c90200472778 17 disable
Initial Switch PortInfo:
# Port info: Lid 7 port 17
LinkState:.......................Active
PhysLinkState:...................LinkUp
Lid:.............................71
SMLid:...........................10104
LMC:.............................0
LinkWidthSupported:..............1X or 4X
LinkWidthEnabled:................1X or 4X
LinkWidthActive:.................4X
LinkSpeedSupported:..............2.5 Gbps or 5.0 Gbps or 10.0 Gbps
LinkSpeedEnabled:................2.5 Gbps or 5.0 Gbps or 10.0 Gbps
LinkSpeedActive:.................10.0 Gbps
Disable may be irreversible
After PortInfo set:
# Port info: Lid 7 port 17
LinkState:.......................Down
PhysLinkState:...................Disabled
Lid:.............................71
SMLid:...........................10104
LMC:.............................0
LinkWidthSupported:..............1X or 4X
LinkWidthEnabled:................1X or 4X
LinkWidthActive:.................4X
LinkSpeedSupported:..............2.5 Gbps or 5.0 Gbps or 10.0 Gbps
LinkSpeedEnabled:................2.5 Gbps or 5.0 Gbps or 10.0 Gbps
LinkSpeedActive:.................2.5 Gbps
LinkSpeedExtSupported:...........0
LinkSpeedExtEnabled:.............0
LinkSpeedExtActive:..............No Extended Speed Zjistíme IP serveru a heslo z cdbm-equipment pro přihlášení do BMC rozhraní
[root@mgmt1 ~]# grep bmc-srv1 /etc/hosts
10.3.0.31 bmc-srv1.bullx bmc-srv1
[root@mgmt1 ~]# cdbm-equipment show access | grep srv1
- login a heslo
BMC rozhraní
- https://10.3.0.31/ a heslo viz výše
- Spustit si Javu
- BMC menu -> Remote control -> Console Redirection -> button to launch console -> Run java viewer
- Console menu -> Virtual media -> Virtual Sotrage -> CDROM&ISO -> Logical Drive Type -> ISO File
- Boot - Space to BIOS - IPMI Virtual Disk 300
Instalace OS
CentOS
- Disk - 300 GB
- Network: eth0 Edit
- Connect automatically
- IPv4 manual
- Domény bullx, it4i.cz
- Layout oddílů
- /home zrušit
- BIOS
- odpojit virt. CD/DVD
- vrátit boot disků
Nastavení:
- vypnutí selinux vim
/etc/sysconfig/selinux- spacewalk
ping spacewalk.it4i.cz
wget -O - https://spacewalk.it4i.cz-
yum check-update
-
Postfix
vim /etc/postfix/master.cf
vim /etc/postfix/main.cf
yum install telnet
telnet mx1.it4i.cz 25
vim /etc/postfix/main.cf
postfix reload
vim /etc/postfix/main.cf
vim /etc/aliases
mailq
newaliases
echo "zkouska mailu" | mail -s "zkouska z vulnscan2" root- Přístupy
- povolení přístupu na službu rsync do světa ze srv1 (10.1.0.31) Konkrétně na: rsync 873/tcp
- LDAP ldaphost=10.1.0.1:390
OpenVAS
- Instalace Openvasu
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
yum upgrade
yum install openvas
openvas-setup
openvas-check-setup --v7- Nastavení iptables
vim /etc/sysconfig/iptables
netstat -vpnl
- aliases
/etc/aliases
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: logs@it4i.cz
- smartd
cat /etc/inittab
chkconfig --list
chkconfig ntpd on
chkconfig smartd on- vim /etc/ntp.conf
server 10.0.255.255
restrict default ignore
restrict 127.0.0.1 nomodify nopeer notrap
restrict 10.0.255.255 nomodify noquery nopeer notrap
disable monitor-
smartctl
- megaraid
fdisk -l smartctl -a /dev/sda smartctl /dev/sda -d megaraid,2 -a
```
* vim /etc/smartd.conf
```bash/dev/sda -d megaraid,1 -a -o on -S on -s (S/../.././02|L/../../6/03) /dev/sda -d megaraid,2 -a -o on -S on -s (S/../.././02|L/../../6/03)
/dev/sda -d megaraid,1 -H -C 0 -U 0 -m root /dev/sda -d megaraid,2 -H -C 0 -U 0 -m root ```
* smartd restar
```/etc/init.d/smartd restart ps aux | grep smart ```
- LDAP - auth.conf
mkdir /var/lib/openvas/openvasmd/
cat auth.conf
#This file was automatically generated.
[method:file]
enable=true
order=1
[method:ldap_connect]
enable=true
order=-1
ldaphost=10.1.0.1:390
authdn=uid=%s,ou=People,dc=cluster,dc=net
allow-plaintext=false
/etc/init.d/openvas-manager restart
/etc/init.d/openvas-manager status
/etc/init.d/openvas-scanner status
/etc/init.d/gsad status- workaround vložení ssh klíče do db
sqlite3 /var/lib/openvas/mgr/tasks.db
select * from lsc_credentials ;
INSERT INTO 'lsc_credentials' VALUES(3,'f7e30a39-743e-4f6d-bea6-d1e372ce6f1d',10,'root_at_mgmt1_pubkey_auth','root','hQEMAzutlsPDhz2eAQgAkLMNWkcbeaNq/X3JfCrSbotpqeji+ZTyPoMGudnM7VZyDqabTtACiY9nOBAGGr5+3xE7W2jmTXlKylCBzWXtzkf9/GDFUoaNkuiig6dCAk7BHnSjks3FXxb5VqD3lY7MDr7ddySdqltbZB4xjVuF53J0+ImVK1NNkRIztjwtFw1RVH4pWHP8gcjOxlZwbxlEaS455lIi/A0fukUfs5HTtF8Qetfy+jZLJTz6lrNjNakHiRFF3g8ACF+bDY6PtPqb1nb4UodjHnpRUPWXvgym79Fhln8DJ2LcX/Nq7+Dnj0PeOu2nXmz1EnNvpE5V8D6lF74DHMVxQm2Pk5bSVk8+6tLqAU2gntwTdRZT7oHz3LilR1f33FrLXzCWGo9UAsWweNPr+MxnFrc3/i70Y+JoPHhiQtCAE8deMSjFL1hD+OMV/nq0Hm+qXy3I6wtrAgQjZj5Ygy8pcK1fw3M1kR/+OIi1VikeOWl0C8twDyXPxfj+gHzA3KlUh1F6z+0z3dCotX2PC2PEqIFSkJCxQLR04yjd/tIgBiqEVjAEC64J9TCfwhJK79psZW2NLpOdSnTqT6aXBCQabn/MoF5M6QLvKqNKHc2EZSxjocCF8EbcHG9UPnRIo1VpbSqN17eJaRfxRpqYBrGB52PHBb9VNerugypcGNuV9/ziqEBElnVUY3h61GiXtLC8QpLXlEQAWFeujCp71XXJqiD70lGsHZcxRBVtE2nmrWvwxxea8cfae6gUCsWkPvFpl46llrk5+sHBmR4GBkvHyfBDybUyW1YbMxxeQaQKaJTiYTkQUMJuBvGfBc+L9KpGyO7dD133ErQvqu59j5n7ASt9QCGgs43NZvtn8aM1e80lkEIWfZaq5JMLDoykepmn/pg47sP+qcJXluPPQiJn2Kfydkrtmo1Obfy5umLKK3B8XbVIOwmh0AxFWeyp8pWvdSP6C0Ob091EkUULntuU8sJrpm7I9nuad8/KFv6nCu13B0iOc63JW0fCRZLtueY0F18jK7dR+Qi1VT/KOKdQmOfmUXhBZWmlCmVDR6Gl2UxVPn1fbN73CbKpkVdvlnhfm7EeCqaQKGyEEa/Wo8DkjENOO2PHgCqnjVM411utg0Tpvqc/duSMJJFRpRpSHm1pWofEn5PmO9E3hbpFcnKyz/j4HjQFcqiuacNTLPHM5SG3vO9zvlGH+txVLMoPzj3xn9fndIAVXUbUtzqofCoUoMRR1SHBYlPHdc6WEc/q0JvUH2lCfrWlRvyfmuLJcxGixrG8Yf0O9+wbCZf49/lpaAiI3xg0MSY+ZJSMKJO4BTE4Tb4Z/HswXxSOh82t5Y5EW0ctFnOwPq3DsdxkuUsge3eAxM5DR7GZqV4tQvNzvHK3AtUgNxiuoCgI+PzZRHVvkLm6qOU44jZOqMccxBVMq4LynO+7xJHs6eRLw9SdwtvUr494Fxk26R43ob0Kp7XN5jwoxdq+GoSr5HQpjR430BizdBFc8J0LDE9c+I2B8KFiCtjBfvIdd3irmXHre+meTMmtBwIn3LqHtuuMHvcP7GiPySpEB8B3NsMreWtjZpv80mN/Kga06gmR5U/ntRZ8JEn+eskO2IDeG+yUgabhH2K87NViRYJbzRHajqyqlIIWkXWA/D/vLwkK+MeIL22vf5mvZaIgNf7hNI726RL3nI3NN09nD9l2o4vvcI2M6Cx1X5lp9JsC/fMz1sC8Z2CGtU30iLhnZ6GdpTwliwyNrcvtug5w+4+qPnf+pyGQIonH0QCRVJLzGBmahJP7HwW+WUPIXEA+fREVds5KFhNgjEzHXtubeJAZOoroGUY9z2z9WPbHWVz+/+BznzMetsbPbnie5YRvpzvdqaqJmBwB3bkDELkLAiZAMrsjsNbwHhEdGwzmdh4xcA90ccPa+lR2DCAmNIpRg5boOSRjKy4EOCACFyYPkpi+1FXEYbnOWSBf8PHoPAI64iA2YuFIBU26nm/x3kN7L1sKjmZ/W5nSV1QH2E4g0/S8keQZXjr5UObUaMw4AeAa5Og3Zr4t3gWHdszlZxDv9ByIZXWEauDGD+iOpZHhsfIsZ3IA7xi8fUGplS9IqLjx+JbVtS/ppoASo9CgxZft7XRaO9lNXnG2/S/5Xxym/JN0KrPz1qkWB9YHkq+uTj4nKToGHfkXRvquKMMofW+wTb7oLTnt4in6OfKoz04EQgw4gPGimnS7nnVI9KV34DthAWU=','','ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9ETCJZWwfCm9KN8Y7f71jjcr/bWa+d2MEPVddQHqzGU4K3vo3i3r4UNEk1x/2ecokgcTTfdO/9PHjEHdEDRgPB9aRoIEEgEfJ/dxpZgz7TFQNHlUUDL5JvUGp27QIUi6IEUYpEs6t04KHGin2yMYlhJGqJvoUpe2kp6ZQoRwP7A7grE8zAfJ8OuqaaZPM2Xc2TmGVjCeOm9AHz+y5QFhVQVnFL3H2r7xWD99EW4GKDJzC47ODCHtJd83+Bnr0GGX0CnbtmCHGrkgpKXCNZrwT6PbVld4e3mdOsb2BsRU2TnwFcHIPyNzzBZie18On0QMJ4yBmKGRbgvDFG68EsuihQ== root@mgmt1
',';;encrypted;;',NULL,NULL,NULL,1394711558,1394789294);
. header on
select * from lsc_credentials ;
#vlastník root
update lsc_credentials set owner = 1 ;
select * from users ;
#vlastník scan account
update lsc_credentials set owner = 4 ;
. quit