You can use the below mentioned command to generate the new token
sudo VAULT_ADDR=https://vault.cdsys.local:8200 vault token create -policy=application-policy -ttl=2160h -display-name="application"
Friday, October 3, 2025
Wednesday, October 1, 2025
Configure PTP on Solar Flare Cards
1. Create a required directory on server as mentioned below for PTP driver installation & upload the packages onto that directory.
cd /root
umask 022
mkdir SFC
cd SFC/
pwd (To verify the path /root/SFC)
2. Now upload all below required packages & license key file to this location (driver packages & solar flare keys will be provided by hardware team)
rpm -qa kernel-devel
rpm -qa gcc
rpm -qa make
rpm -qa automake
rpm -qa autoconf
rpm -qa perl
rpm -qa libtool
rpm -qa gettext
rpm -qa gawk
rpm -qa sed
rpm -qa bash
rpm -qa glibc-common
rpm -qa python
rpm -qa python-devel
rpm -qa binutils
rpm -qa libpcap
rpm -qa libpcap-devel (If this package not showing installed then need to enable universal repo and install by using yum)
4. Check & verify irqbalance service status, if running then stop & disable it.
/etc/init.d/irqbalance status
/etc/init.d/irqbalance stop
chkconfig irqbalance off
chkconfig irqbalance --list
===========================
systemctl status irqbalance
systemctl stop irqbalance
systemctl status irqbalance
systemctl disable irqbalance
systemctl is-enabled irqbalance
5. Now after verifying all the required packages extract all the driver packages.
cd /root/SFC/
tar -xzvf SF-108317-LS-6_Solarflare_Linux_diagnostics_(sfreport).tgz
tar -xzvf SF-113122-LS-12_Solarflare_Enhanced_PTP_Daemon_(sfptpd)_-_64_bit_binary_RPM.tgz
unzip SF-107601-LS-70_Solarflare_Linux_Utilities_RPM_(64bit).zip
mkdir EOL6
mv SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6
cd EOL6
unzip SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6
6. Check below entry in present in grub file or not, if not there then make it. (/etc/default/grub).
intel_idle.max_cstate=0 processor.max_cstate=1 idle=poll
Before Change in Grub File
Configure Audit logs & log Retaintion in Production VMs
Install the required packages
sudo apt install -y auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd
sudo vi /etc/audit/rules.d/hardening.rules
#Authentication Events
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/gshadow -p wa -k gshadow_changes
#Privilege Escalation (e.g., sudo)
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_includes
#System Configuration Changes
-w /etc/hostname -p wa -k hostname_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/network/ -p wa -k network_config_changes
-w /etc/resolv.conf -p wa -k dns_config
#Kernel Modules Changes
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
#Monitoring Use of chmod, chown, etc.
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchown -k perm_mod
#File/Directory Monitoring (Sensitive paths like etc and the other application path)
-w /etc/ssh/sshd_config -p wa -k ssh_config
#-w /opt/ -p wa -k opt_changes
#Execution of Binaries which needs to be monitored specifically
-a always,exit -F path=/usr/bin/nc -F perm=x -F auid>=1000 -F auid!=4294967295 -k nc_exec
-a always,exit -F path=/usr/bin/sh -F perm=x -F auid>=1000 -F auid!=4294967295 -k sh_exec
-a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=1000 -F auid!=4294967295 -k bash_exec
#Access to Credential Files
-w /etc/securetty -p wa -k securetty_changes
-w /var/log/lastlog -p wa -k login_logs
#Audit Auditd Itself
-w /etc/audit/ -p wa -k audit_config
-w /etc/audit/rules.d/ -p wa -k audit_rules
sudo augenrules --load
sudo systemctl restart auditd
Configure log rotate
sudo vi /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
su root syslog
weekly
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 syslog adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/syslog 2>/dev/null || true
chattr -a /var/log/auth.log 2>/dev/null || true
endscript
postrotate
/usr/lib/rsyslog/rsyslog-rotate
# Reapply append-only after rotation
chattr +a /var/log/syslog 2>/dev/null || true
chattr +a /var/log/auth.log 2>/dev/null || true
endscript
}/var/log/audit/audit.log {
su root adm
daily
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 root adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/audit/audit.log 2>/dev/null || true
endscript
postrotate
# Signal auditd to reopen logs safely
invoke-rc.d auditd rotate >/dev/null 2>&1 || true
# Reapply append-only after rotation
chattr +a /var/log/audit/audit.log 2>/dev/null || true
endscript
}
sudo chown syslog:adm /var/log/auth.log /var/log/syslog
sudo chmod 640 /var/log/auth.log /var/log/syslog
sudo chattr +a /var/log/syslog
sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/audit/audit.log
sudo systemctl restart rsyslog
sudo logrotate --debug /etc/logrotate.d/rsyslog
sudo logrotate -f /etc/logrotate.d/rsyslog
sudo ls -lh /var/log/{auth.log,syslog,audit/}
sudo lsattr /var/log/{auth.log,syslog,audit/audit.log}
Check Log rotate timer:
sudo systemctl status logrotate.timer
To check and find the audit related logs you can use the below filters. You can use the filters created in /etc/audit/rules.d/hardening.rules file.
Search logs by Key:
sudo ausearch -k exec_log
Search logs by Username:
sudo ausearch -k exec_log -ua vishal.rajput
Search logs by root Users:
sudo ausearch -k exec_log -ua 0
ThreatQ Version 6.12.0 Installation with Kubernetes setup in RedHat Enterprise Linux 9.4
Setup Details:
CPU: 12Cores
Memory : 64GB
Disk: 800GB Disk (Thin Provisioned)
OS: RedHat Enterprise 9.4
VM IP Address: 10.50.10.40 / threatqv6.cdsys.local
Non-sudo user: crest
Steps:
Reference Document: Document
Set the maximum number of inotify instances for the installing user to 300.
sudo sed -i '/^fs\.inotify\.max_user_instances/d' /etc/sysctl.conf && printf "fs.inotify.max_user_instances = 300\n" | sudo tee -a /etc/sysctl.conf >/dev/null && sudo sysctl -p
Enable the RedHat subscription and pin current RHEL 9 release so that you cannot inadvertently upgrade your RHEL 9 environment to an unsupported release
subscription-manager register --username=username --password=password (Use correct username and passwords)
subscription-manager release --show
subscription-manager release --set=9.4
subscription-manager release --show
yum clean all
Add a configuration file for RKE2
sudo mkdir -p /etc/rancher/rke2
sudo tee /etc/rancher/rke2/config.yaml <<EOF > /dev/null
node-name: node
node-ip: 10.50.10.40
node-external-ip: 10.50.10.40
EOF
Enable SElinux in the rke2 config file:
echo "selinux: true" | sudo tee -a /etc/rancher/rke2/config.yaml > /dev/null
Add RKE2 and associated utilities:
sudo tee /etc/profile.d/rke2.sh <<EOF > /dev/null
export PATH="\$PATH:/var/lib/rancher/rke2/bin"
EOF
source /etc/profile.d/rke2.sh
Reboot the VM
reboot
Install RKE2 as a Server Node (Don't Start the service)
curl -sfL https://get.rke2.io | sh -
systemctl status rke2-server.service
systemctl enable rke2-server.service
Reboot the VM
reboot
Check RKE2 service status
systemctl status rke2-server.service
Copy the RKE2 kubeconfig file to non-root user's home directory and set the appropriate permissions (same can be created for root user as well)
mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/configsu - crest
mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/config
sudo chown crest:crest ~/.kube/config
Switch to root user and check the status of pods.
su - root
kubectl get pods -A
Download the most recent version of TQAdmin by below command.
cd /opt/
curl -fO -u cds https://install-v6.threatq.com/tqadmin.rpm
Install TQAdmin
sudo rpm -Uvh tqadmin.rpm
Run the following command to provision your deployment:
sudo /usr/local/bin/tqadmin configure
Do you want to enable OpenDXL (TQX)? (yes/no): no
Do you want to enable the embedded TAXII server? (yes/no): yes
Do you want to use your own SSL certificate? (yes/no): yes
Enter the file path for your certificate: /opt/certs/cert.crt
Enter the file path for your private key: /opt/certs/cert.key
Do you want to enable CAC/mTLS? (yes/no): no
Enter the FQDN of the server: threatqv6.cdsys.local
Enter your YUM repository username: cds
Enter your YUM repository password: <yum repo password which is of threatq portal to get the threatq updates>
Run the following command to Install ThreatQ (Installer will take approximately 15mins and during this window keep an eye on the screen and don't leave it idle, you can press space bar to keep the session active)
/usr/local/bin/tqadmin platform install
Run the following command to generate the initial password for the ThreatQ Admin user (username = admin):
sudo /usr/local/bin/tqadmin password
Verify your ThreatQ installation, check the status of the pods and services in your Kubernetes cluster.
kubectl get pods -A
kubectl get svc -A
kubectl get pods -n threatq
Access the ThreatQ using WebUI with https
________________________________________________________________________________
To generate the Client_ID and Client_Secret follow the below steps.
Find the API pod details
kubectl get pods --all-namespaces
Connect the API pod using the below command
kubectl exec -it -n threatq api-8448c6f7bd-kq5vj -- /bin/sh
Execute the below command to generate the secrets
cd /var/www/api
php artisan.php threatq:oauth2-client --name "crestapi"
Share the client_id & client_secret with the requester.
Monday, July 28, 2025
Join an Ubuntu Machine to Active Directory and Configure Cisco DUO MFA
Join Ubuntu VM to Domain
Step 1: Check and correct the VM name
hostnamectl set-hostname FQDN-HOSTNAME
hostname FQDN-HOSTNAME
vi /etc/hosts
Step 2: Install Required Packages
apt update && apt upgrade -y
apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
systemctl enable --now oddjobd
reboot
Step 3: Discover the Domain
realm discover domain.local
Step 4: Join the Domain
realm join --user=vishal.rajput domain.local
realm list
Step 5: Create a Local Linux Group
groupadd ssh-admins
Step 6: Add Domain Users to the Local Group
usermod -a -G ssh-admins 'vishal.rajput@domain.local'
Step 7: Restrict Logins to Local Group Only
vi /etc/sssd/sssd.conf
[sssd]
domains = DOMAIN.LOCAL
config_file_version = 2
services = nss, pam, ssh
[domain/DOMAIN.LOCAL]
ad_domain = DOMAIN.LOCAL
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
access_provider = simple
simple_allow_groups = domain admins, ssh-admins
# Recommended for login experience
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
ldap_id_mapping = True
cache_credentials = True
krb5_store_password_if_offline = True
systemctl restart sssd
Step 8: Check & Configure the NSSSWICTH settings
vi /etc/nsswitch.conf
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
Step 9: Grant sudo Access to Local Group
visudo
%ssh-admins ALL=(ALL:ALL) ALL
Step 10: Update /etc/ssh/sshd_config
vi /etc/ssh/sshd_config
UsePAM yes
Step 11: Enable Home Directory Creation
pam-auth-update --force
Ensure the following are checked:
"SSSD"
"Create home directory on login" (pam_mkhomedir)
"Unix authentication"
"Unix account"
After this, the following PAM files should have references to pam_sss.so:
grep sss /etc/pam.d/common-*
You should see lines like:
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so
Step 12: Restart All Related Services
systemctl restart sssd
systemctl restart ssh
Step 13: Test the Setup
ssh 'vishal.rajput'@10.50.2.122
Step 14: verify user group membership with:
id 'vishal.rajput@domain.local’
Step 15: update membership for users in the machine and try the sudo access.
usermod -a -G ssh-admins vishal.rajput
Step 16: To leave the domain, execute the below command.
realm leave DOMAIN.LOCAL
Configure DUO authentication
One the Domain login works fine with the above steps, make the below changes in configuration files to make the DUO working.
Installation of prerequisites for DUO configuration.
Create a file in the system.
vi /etc/apt/sources.list.d/duosecurity.list
deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/duo.gpg
apt-get update && apt-get install duo-unix -y
Update the key details in DUO configuration files. (These details can be obtained from the DUO portal for application, all key details will be different according to the application)
vi /etc/duo/pam_duo.conf
[duo]
; Duo integration key
ikey = DIPZKZT8H9ELTTTVLFE2
; Duo secret key
skey = AHZoYq7j9197Bgf9bWFl1QUdLy6smEPGsFAR6pvD
; Duo API host
host = api-cf60925f.duosecurity.com
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
pushinfo = yes
autopush = yes
prompts = 1
cp /etc/duo/pam_duo.conf /etc/duo/login_duo.conf
Working “/etc/pam.d/sshd” file content:
Before adding the content make sure to find the pam_duo.so file location and update content accordingly in the file.
vi /etc/pam.d/sshd
# First, perform system password-based auth (local or SSSD)
@include common-auth
# Conditionally apply DUO for domain users only (UID >= 1000000 for SSSD)
auth [default=1 success=ok] pam_succeed_if.so uid >= 1000000
# Then trigger Duo MFA (only after password is verified)
auth required /usr/lib64/security/pam_duo.so
# Check for login restrictions (nologin, etc.)
account required pam_nologin.so
# Include account handling (local and AD)
@include common-account
# Session setup
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv
session required pam_limits.so
session required pam_env.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Password updates
@include common-password
Working “/etc/pam.d/common-auth” file content:
vi /etc/pam.d/common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
auth [success=2 default=ignore] pam_unix.so nullok
#auth [success=1 default=ignore] pam_duo.so
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
Enable settings in sshd_config file.
vi /etc/ssh/sshd_config
KbdInteractiveAuthentication yes
PubkeyAuthentication yes
Restart all required services and check the SSH access.
systemctl restart sshd
systemctl restart sssd
Subscribe to:
Comments (Atom)