You can use the below mentioned command to generate the new token
sudo VAULT_ADDR=https://vault.cdsys.local:8200 vault token create -policy=application-policy -ttl=2160h -display-name="application"
Friday, October 3, 2025
Wednesday, October 1, 2025
Configure PTP on Solar Flare Cards
1. Create a required directory on server as mentioned below for PTP driver installation & upload the packages onto that directory.
cd /root
umask 022
mkdir SFC
cd SFC/
pwd (To verify the path /root/SFC)
2. Now upload all below required packages & license key file to this location (driver packages & solar flare keys will be provided by hardware team)
rpm -qa kernel-devel
rpm -qa gcc
rpm -qa make
rpm -qa automake
rpm -qa autoconf
rpm -qa perl
rpm -qa libtool
rpm -qa gettext
rpm -qa gawk
rpm -qa sed
rpm -qa bash
rpm -qa glibc-common
rpm -qa python
rpm -qa python-devel
rpm -qa binutils
rpm -qa libpcap
rpm -qa libpcap-devel (If this package not showing installed then need to enable universal repo and install by using yum)
4. Check & verify irqbalance service status, if running then stop & disable it.
/etc/init.d/irqbalance status
/etc/init.d/irqbalance stop
chkconfig irqbalance off
chkconfig irqbalance --list
===========================
systemctl status irqbalance
systemctl stop irqbalance
systemctl status irqbalance
systemctl disable irqbalance
systemctl is-enabled irqbalance
5. Now after verifying all the required packages extract all the driver packages.
cd /root/SFC/
tar -xzvf SF-108317-LS-6_Solarflare_Linux_diagnostics_(sfreport).tgz
tar -xzvf SF-113122-LS-12_Solarflare_Enhanced_PTP_Daemon_(sfptpd)_-_64_bit_binary_RPM.tgz
unzip SF-107601-LS-70_Solarflare_Linux_Utilities_RPM_(64bit).zip
mkdir EOL6
mv SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6
cd EOL6
unzip SF-121400-LS-5_EnterpriseOnload_6.zip /root/SFC/EOL6
6. Check below entry in present in grub file or not, if not there then make it. (/etc/default/grub).
intel_idle.max_cstate=0 processor.max_cstate=1 idle=poll
Before Change in Grub File
Configure Audit logs & log Retaintion in Production VMs
Install the required packages
sudo apt install -y auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd
sudo vi /etc/audit/rules.d/hardening.rules
#Authentication Events
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/gshadow -p wa -k gshadow_changes
#Privilege Escalation (e.g., sudo)
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_includes
#System Configuration Changes
-w /etc/hostname -p wa -k hostname_changes
-w /etc/hosts -p wa -k hosts_changes
-w /etc/network/ -p wa -k network_config_changes
-w /etc/resolv.conf -p wa -k dns_config
#Kernel Modules Changes
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
#Monitoring Use of chmod, chown, etc.
-a always,exit -F arch=b64 -S chmod,chown,fchmod,fchown -k perm_mod
#File/Directory Monitoring (Sensitive paths like etc and the other application path)
-w /etc/ssh/sshd_config -p wa -k ssh_config
#-w /opt/ -p wa -k opt_changes
#Execution of Binaries which needs to be monitored specifically
-a always,exit -F path=/usr/bin/nc -F perm=x -F auid>=1000 -F auid!=4294967295 -k nc_exec
-a always,exit -F path=/usr/bin/sh -F perm=x -F auid>=1000 -F auid!=4294967295 -k sh_exec
-a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=1000 -F auid!=4294967295 -k bash_exec
#Access to Credential Files
-w /etc/securetty -p wa -k securetty_changes
-w /var/log/lastlog -p wa -k login_logs
#Audit Auditd Itself
-w /etc/audit/ -p wa -k audit_config
-w /etc/audit/rules.d/ -p wa -k audit_rules
sudo augenrules --load
sudo systemctl restart auditd
Configure log rotate
sudo vi /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
su root syslog
weekly
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 syslog adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/syslog 2>/dev/null || true
chattr -a /var/log/auth.log 2>/dev/null || true
endscript
postrotate
/usr/lib/rsyslog/rsyslog-rotate
# Reapply append-only after rotation
chattr +a /var/log/syslog 2>/dev/null || true
chattr +a /var/log/auth.log 2>/dev/null || true
endscript
}/var/log/audit/audit.log {
su root adm
daily
size 15M
rotate 13
maxage 90
missingok
notifempty
create 0640 root adm
compress
delaycompress
sharedscripts
prerotate
# Remove append-only so rotation can happen
chattr -a /var/log/audit/audit.log 2>/dev/null || true
endscript
postrotate
# Signal auditd to reopen logs safely
invoke-rc.d auditd rotate >/dev/null 2>&1 || true
# Reapply append-only after rotation
chattr +a /var/log/audit/audit.log 2>/dev/null || true
endscript
}
sudo chown syslog:adm /var/log/auth.log /var/log/syslog
sudo chmod 640 /var/log/auth.log /var/log/syslog
sudo chattr +a /var/log/syslog
sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/audit/audit.log
sudo systemctl restart rsyslog
sudo logrotate --debug /etc/logrotate.d/rsyslog
sudo logrotate -f /etc/logrotate.d/rsyslog
sudo ls -lh /var/log/{auth.log,syslog,audit/}
sudo lsattr /var/log/{auth.log,syslog,audit/audit.log}
Check Log rotate timer:
sudo systemctl status logrotate.timer
To check and find the audit related logs you can use the below filters. You can use the filters created in /etc/audit/rules.d/hardening.rules file.
Search logs by Key:
sudo ausearch -k exec_log
Search logs by Username:
sudo ausearch -k exec_log -ua vishal.rajput
Search logs by root Users:
sudo ausearch -k exec_log -ua 0
ThreatQ Version 6.12.0 Installation with Kubernetes setup in RedHat Enterprise Linux 9.4
Setup Details:
CPU: 12Cores
Memory : 64GB
Disk: 800GB Disk (Thin Provisioned)
OS: RedHat Enterprise 9.4
VM IP Address: 10.50.10.40 / threatqv6.cdsys.local
Non-sudo user: crest
Steps:
Reference Document: Document
Set the maximum number of inotify instances for the installing user to 300.
sudo sed -i '/^fs\.inotify\.max_user_instances/d' /etc/sysctl.conf && printf "fs.inotify.max_user_instances = 300\n" | sudo tee -a /etc/sysctl.conf >/dev/null && sudo sysctl -p
Enable the RedHat subscription and pin current RHEL 9 release so that you cannot inadvertently upgrade your RHEL 9 environment to an unsupported release
subscription-manager register --username=username --password=password (Use correct username and passwords)
subscription-manager release --show
subscription-manager release --set=9.4
subscription-manager release --show
yum clean all
Add a configuration file for RKE2
sudo mkdir -p /etc/rancher/rke2
sudo tee /etc/rancher/rke2/config.yaml <<EOF > /dev/null
node-name: node
node-ip: 10.50.10.40
node-external-ip: 10.50.10.40
EOF
Enable SElinux in the rke2 config file:
echo "selinux: true" | sudo tee -a /etc/rancher/rke2/config.yaml > /dev/null
Add RKE2 and associated utilities:
sudo tee /etc/profile.d/rke2.sh <<EOF > /dev/null
export PATH="\$PATH:/var/lib/rancher/rke2/bin"
EOF
source /etc/profile.d/rke2.sh
Reboot the VM
reboot
Install RKE2 as a Server Node (Don't Start the service)
curl -sfL https://get.rke2.io | sh -
systemctl status rke2-server.service
systemctl enable rke2-server.service
Reboot the VM
reboot
Check RKE2 service status
systemctl status rke2-server.service
Copy the RKE2 kubeconfig file to non-root user's home directory and set the appropriate permissions (same can be created for root user as well)
mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/configsu - crest
mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/config
sudo chown crest:crest ~/.kube/config
Switch to root user and check the status of pods.
su - root
kubectl get pods -A
Download the most recent version of TQAdmin by below command.
cd /opt/
curl -fO -u cds https://install-v6.threatq.com/tqadmin.rpm
Install TQAdmin
sudo rpm -Uvh tqadmin.rpm
Run the following command to provision your deployment:
sudo /usr/local/bin/tqadmin configure
Do you want to enable OpenDXL (TQX)? (yes/no): no
Do you want to enable the embedded TAXII server? (yes/no): yes
Do you want to use your own SSL certificate? (yes/no): yes
Enter the file path for your certificate: /opt/certs/cert.crt
Enter the file path for your private key: /opt/certs/cert.key
Do you want to enable CAC/mTLS? (yes/no): no
Enter the FQDN of the server: threatqv6.cdsys.local
Enter your YUM repository username: cds
Enter your YUM repository password: <yum repo password which is of threatq portal to get the threatq updates>
Run the following command to Install ThreatQ (Installer will take approximately 15mins and during this window keep an eye on the screen and don't leave it idle, you can press space bar to keep the session active)
/usr/local/bin/tqadmin platform install
Run the following command to generate the initial password for the ThreatQ Admin user (username = admin):
sudo /usr/local/bin/tqadmin password
Verify your ThreatQ installation, check the status of the pods and services in your Kubernetes cluster.
kubectl get pods -A
kubectl get svc -A
kubectl get pods -n threatq
Access the ThreatQ using WebUI with https
________________________________________________________________________________
To generate the Client_ID and Client_Secret follow the below steps.
Find the API pod details
kubectl get pods --all-namespaces
Connect the API pod using the below command
kubectl exec -it -n threatq api-8448c6f7bd-kq5vj -- /bin/sh
Execute the below command to generate the secrets
cd /var/www/api
php artisan.php threatq:oauth2-client --name "crestapi"
Share the client_id & client_secret with the requester.
Subscribe to:
Comments (Atom)