Wednesday, October 1, 2025

Configure PTP on Solar Flare Cards

1. Create a required directory on server as mentioned below for PTP driver installation & upload the packages onto that directory.


cd /root 

umask 022 

mkdir SFC 

cd SFC/ 

pwd (To verify the path /root/SFC)


2. Now upload all below required packages & license key file to this location (driver packages & solar flare keys will be provided by hardware team)


3. Check and verify below mentioned packages were installed or not on server on which PTP is going to be configure.

rpm -qa kernel-devel 

rpm -qa gcc 

rpm -qa make 

rpm -qa automake 

rpm -qa autoconf 

rpm -qa perl 

rpm -qa libtool 

rpm -qa gettext 

rpm -qa gawk 

rpm -qa sed 

rpm -qa bash 

rpm -qa glibc-common 

rpm -qa python 

rpm -qa python-devel 

rpm -qa binutils 

rpm -qa libpcap 

rpm -qa libpcap-devel (If this package not showing installed then need to enable universal repo and install by using yum)

4. Check & verify irqbalance service status, if running then stop & disable it. 

/etc/init.d/irqbalance status

/etc/init.d/irqbalance stop

chkconfig irqbalance off

chkconfig irqbalance --list

===========================

systemctl status irqbalance

systemctl stop irqbalance

systemctl status irqbalance

systemctl disable irqbalance

systemctl is-enabled irqbalance

5. Now after verifying all the required packages extract all the driver packages. 

cd /root/SFC/

tar -xzvf SF-108317-LS-6_Solarflare_Linux_diagnostics_(sfreport).tgz

tar -xzvf SF-113122-LS-12_Solarflare_Enhanced_PTP_Daemon_(sfptpd)_-_64_bit_binary_RPM.tgz

unzip SF-107601-LS-70_Solarflare_Linux_Utilities_RPM_(64bit).zip

mkdir EOL6

mv SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6

cd EOL6

unzip SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6

6. Check below entry in present in grub file or not, if not there then make it. (/etc/default/grub). 

intel_idle.max_cstate=0 processor.max_cstate=1 idle=poll

Before Change in Grub File 


Configure Audit logs & log Retaintion in Production VMs

 

Install the required packages

sudo apt install -y auditd audispd-plugins -y

sudo systemctl enable auditd

sudo systemctl start auditd

sudo vi /etc/audit/rules.d/hardening.rules


#Authentication Events
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/gshadow -p wa -k gshadow_changes


#Privilege Escalation (e.g., sudo)
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_includes


#System Configuration Changes
-w /etc/hostname -p wa -k hostname_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/network/ -p wa -k network_config_changes
-w /etc/resolv.conf -p wa -k dns_config


#Kernel Modules Changes
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules


#Monitoring Use of chmod, chown, etc.
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchown -k perm_mod


#File/Directory Monitoring (Sensitive paths like etc and the other application path)
-w /etc/ssh/sshd_config -p wa -k ssh_config
#-w /opt/ -p wa -k opt_changes


#Execution of Binaries which needs to be monitored specifically
-a always,exit -F path=/usr/bin/nc -F perm=x -F auid>=1000 -F auid!=4294967295 -k nc_exec
-a always,exit -F path=/usr/bin/sh -F perm=x -F auid>=1000 -F auid!=4294967295 -k sh_exec
-a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=1000 -F auid!=4294967295 -k bash_exec


#Access to Credential Files
-w /etc/securetty -p wa -k securetty_changes
-w /var/log/lastlog -p wa -k login_logs


#Audit Auditd Itself
-w /etc/audit/ -p wa -k audit_config
-w /etc/audit/rules.d/ -p wa -k audit_rules

sudo augenrules --load

sudo systemctl restart auditd

Configure log rotate 

sudo vi /etc/logrotate.d/rsyslog


/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        su root syslog
        weekly
        size 15M
        rotate 13
        maxage 90
        missingok
        notifempty
        create 0640 syslog adm
        compress
        delaycompress
        sharedscripts
        prerotate
                # Remove append-only so rotation can happen
                chattr -a /var/log/syslog 2>/dev/null || true
                chattr -a /var/log/auth.log 2>/dev/null || true
        endscript
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
                # Reapply append-only after rotation
                chattr +a /var/log/syslog 2>/dev/null || true
                chattr +a /var/log/auth.log 2>/dev/null || true
        endscript
}

/var/log/audit/audit.log {
        su root adm
        daily
        size 15M
        rotate 13
        maxage 90
        missingok
        notifempty
        create 0640 root adm
        compress
        delaycompress
        sharedscripts
        prerotate
                # Remove append-only so rotation can happen
                chattr -a /var/log/audit/audit.log 2>/dev/null || true
        endscript
        postrotate
                # Signal auditd to reopen logs safely
                invoke-rc.d auditd rotate >/dev/null 2>&1 || true
                # Reapply append-only after rotation
                chattr +a /var/log/audit/audit.log 2>/dev/null || true
        endscript
}

sudo chown syslog:adm /var/log/auth.log /var/log/syslog

sudo chmod 640 /var/log/auth.log /var/log/syslog

sudo chattr +a /var/log/syslog

sudo chattr +a /var/log/auth.log

sudo chattr +a /var/log/audit/audit.log

sudo systemctl restart rsyslog

sudo logrotate --debug /etc/logrotate.d/rsyslog  

sudo logrotate -f /etc/logrotate.d/rsyslog       

sudo ls -lh /var/log/{auth.log,syslog,audit/}    

sudo lsattr /var/log/{auth.log,syslog,audit/audit.log}   


Check Log rotate timer:

sudo systemctl status logrotate.timer



To check and find the audit related logs you can use the below filters. You can use the filters created in /etc/audit/rules.d/hardening.rules file.


Search logs by Key: 

sudo ausearch -k exec_log

Search logs by Username: 
sudo ausearch -k exec_log -ua vishal.rajput

Search logs by root Users:
sudo ausearch -k exec_log -ua 0

ThreatQ Version 6.12.0 Installation with Kubernetes setup in RedHat Enterprise Linux 9.4

 

Setup Details: 

CPU: 12Cores

Memory : 64GB

Disk: 800GB Disk (Thin Provisioned)

OS: RedHat Enterprise 9.4

VM IP Address: 10.50.10.40 / threatqv6.cdsys.local

Non-sudo user: crest


Steps: 

Reference Document: Document

Set the maximum number of inotify instances for the installing user to 300.

sudo sed -i '/^fs\.inotify\.max_user_instances/d' /etc/sysctl.conf && printf "fs.inotify.max_user_instances = 300\n" | sudo tee -a /etc/sysctl.conf >/dev/null && sudo sysctl -p

Enable the RedHat subscription and pin current RHEL 9 release so that you cannot inadvertently upgrade your RHEL 9 environment to an unsupported release

subscription-manager register --username=username --password=password  (Use correct username and passwords)

subscription-manager release --show

subscription-manager release --set=9.4

subscription-manager release --show

yum clean all

Add a configuration file for RKE2

sudo mkdir -p /etc/rancher/rke2

sudo tee /etc/rancher/rke2/config.yaml <<EOF > /dev/null
node-name: node
node-ip:     10.50.10.40
node-external-ip: 10.50.10.40
EOF


Enable SElinux in the rke2 config file:

echo "selinux: true" | sudo tee -a /etc/rancher/rke2/config.yaml > /dev/null

Add RKE2 and associated utilities:

sudo tee /etc/profile.d/rke2.sh <<EOF > /dev/null
export PATH="\$PATH:/var/lib/rancher/rke2/bin"
EOF

source /etc/profile.d/rke2.sh

Reboot the VM

reboot

Install RKE2 as a Server Node (Don't Start the service)

curl -sfL https://get.rke2.io | sh -

systemctl status rke2-server.service

systemctl enable rke2-server.service

Reboot the VM

reboot

Check RKE2 service status

systemctl status rke2-server.service

Copy the RKE2 kubeconfig file to non-root user's home directory and set the appropriate permissions (same can be created for root user as well)

mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/config

su - crest

mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/config
sudo chown crest:crest ~/.kube/config

Switch to root user and check the status of pods.

su - root

kubectl get pods -A

Download the most recent version of TQAdmin by below command.

cd /opt/

curl -fO -u cds https://install-v6.threatq.com/tqadmin.rpm

Install TQAdmin

sudo rpm -Uvh tqadmin.rpm

Run the following command to provision your deployment:

sudo /usr/local/bin/tqadmin configure

Do you want to enable OpenDXL (TQX)? (yes/no): no
Do you want to enable the embedded TAXII server? (yes/no): yes
Do you want to use your own SSL certificate? (yes/no): yes
Enter the file path for your certificate: /opt/certs/cert.crt
Enter the file path for your private key: /opt/certs/cert.key
Do you want to enable CAC/mTLS? (yes/no): no
Enter the FQDN of the server: threatqv6.cdsys.local
Enter your YUM repository username: cds
Enter your YUM repository password: <yum repo password which is of threatq portal to get the threatq updates>

Run the following command to Install ThreatQ (Installer will take approximately 15mins and during this window keep an eye on the screen and don't leave it idle, you can press space bar to keep the session active)

/usr/local/bin/tqadmin platform install

Run the following command to generate the initial password for the ThreatQ Admin user (username = admin):

sudo /usr/local/bin/tqadmin password

Verify your ThreatQ installation, check the status of the pods and services in your Kubernetes cluster.

kubectl get pods -A

kubectl get svc -A

kubectl get pods -n threatq

Access the ThreatQ using WebUI with https