Hi ,
I tried this command but end with syntex error.
$> spacecmd softwarechannel_regenerateyumcache <channel-label>
I think this option not available with this spacecmd
"softwarechannel_regenerateyumcache"
Best Regards,
Suhail Siddiqui
________________________________
From: spacewalk-list-requ...@redhat.com
Sent: Wednesday, August 15, 2018 5:26 PM
To: spacewalk-list@redhat.com
Subject: Spacewalk-list Digest, Vol 123, Issue 37
Send Spacewalk-list mailing list submissions to
spacewalk-list@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0
or, via email, send a message with subject or body 'help' to
spacewalk-list-requ...@redhat.com
You can reach the person managing the list at
spacewalk-list-ow...@redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Spacewalk-list digest..."
Today's Topics:
1. Re: Spacewalk-list Digest, Vol 123, Issue 36
(suhail.siddi...@visitor.upm.com)
2. Re: only SUSE 11 SP4 update pkg push from spacewalk not
worked (Michael Calmer)
3. Kickstart Templates - Import Error (Raymond Setchfield)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Aug 2018 11:38:25 +0000
From: <suhail.siddi...@visitor.upm.com>
To: <spacewalk-list@redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk-list Digest, Vol 123, Issue 36
Message-ID:
<71d8cffcd5454ddda5d0237a6daef...@am3pr3701mb0036.054d.mgd.msft.net>
Content-Type: text/plain; charset="us-ascii"
Yes , I have checked that but didn't work , also when I run zipper dup , it is
showing so many updated and when I installed updated using dup , and reboot the
servers nothing change and every update still available as it is .
Also when I used different repository from SMT server and run zipper update its
show all available and update install and working.
Best Regards,
Suhail Siddiqui
-----Original Message-----
From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> On
Behalf Of spacewalk-list-requ...@redhat.com
Sent: 15 August 2018 14:09
To: spacewalk-list@redhat.com
Subject: Spacewalk-list Digest, Vol 123, Issue 36
Send Spacewalk-list mailing list submissions to
spacewalk-list@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0
or, via email, send a message with subject or body 'help' to
spacewalk-list-requ...@redhat.com
You can reach the person managing the list at
spacewalk-list-ow...@redhat.com
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Spacewalk-list digest..."
Today's Topics:
1. only SUSE 11 SP4 update pkg push from spacewalknot worked
(suhail.siddi...@visitor.upm.com)
2. Re: only SUSE 11 SP4 update pkg push from spacewalknot
worked (Flores, Javier (D4\INF\IT ID))
3. Autoaccpet GPG Key (Joaquin Henriquez)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Aug 2018 10:03:09 +0000
From: <suhail.siddi...@visitor.upm.com>
To: <spacewalk-list@redhat.com>
Subject: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalknot worked
Message-ID:
<a3d49183d79f47cf8bfd5611b7ae7...@he1pr3701mb0043.054d.mgd.msft.net>
Content-Type: text/plain; charset="us-ascii"
Hi ,
Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to
client its failed with not found , when I run zipper update on client its says
no update available , however in spacewalk wen console its showing all critical
and bug fix available.
Please help me to fix this , I already remove the cache from spacewalk server
for this repository and tried everything but it didn't worked.
Thanks
Suhail Siddiqui
________________________________
Please note. The information contained in this message is confidential and is
intended only for the use of the individual named above and others who have
been specially authorized to receive it. If you are not the intended recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. The attachments have been scanned for
viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not
be liable for any consequences of any virus being passed on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2Fc63a9039%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=GehGwu3ohEMMKI1JbspTIeO%2BW047CvYOlvPSU%2FZMbAo%3D&reserved=0>
------------------------------
Message: 2
Date: Wed, 15 Aug 2018 10:33:56 +0000
From: "Flores, Javier (D4\\INF\\IT ID)" <javier.flo...@gmz.migros.ch>
To: "'spacewalk-list@redhat.com'" <spacewalk-list@redhat.com>
Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalknot worked
Message-ID:
<49ec69e1c8cbc144a57bfc099d35eb01c7d48...@hnexm01b.datacenter-migros.ch>
Content-Type: text/plain; charset="us-ascii"
Hi,
Have you already tried deleting the local caches (zypper clean -a) on your
sles11sp4 server?
Regards,
Javier
Von: spacewalk-list-boun...@redhat.com
[mailto:spacewalk-list-boun...@redhat.com] Im Auftrag von
suhail.siddi...@visitor.upm.com
Gesendet: Mittwoch, 15. August 2018 12:03
An: spacewalk-list@redhat.com
Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not
worked
Hi ,
Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to
client its failed with not found , when I run zipper update on client its says
no update available , however in spacewalk wen console its showing all critical
and bug fix available.
Please help me to fix this , I already remove the cache from spacewalk server
for this repository and tried everything but it didn't worked.
Thanks
Suhail Siddiqui
________________________________
Please note. The information contained in this message is confidential and is
intended only for the use of the individual named above and others who have
been specially authorized to receive it. If you are not the intended recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. The attachments have been scanned for
viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not
be liable for any consequences of any virus being passed on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F6815a87f%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=JyE%2FNJs1VavTlmsZjJtyKcktqBnL4dAUMdijSwdQpjA%3D&reserved=0>
------------------------------
Message: 3
Date: Wed, 15 Aug 2018 11:08:25 +0000
From: Joaquin Henriquez <joaquin.henriq...@countercept.com>
To: "spacewalk-list@redhat.com" <spacewalk-list@redhat.com>
Subject: [Spacewalk-list] Autoaccpet GPG Key
Message-ID:
<43d78a66e0934b57aa51396a44190...@bskexch2013hypv.mwrinfosecurity.com>
Content-Type: text/plain; charset="windows-1252"
Hi Guys
When configuring the GPG of the channel I put the
file:///etc/pki/rpm/GPG-KEY<file:///\\etc\pki\rpm\GPG-KEY>, KEY-ID and
Fingerprint.
When updating a client it take the file form that path.
ERROR:
Error while executing packages action: Refusing to automatically import keys
when running unattended. [[6]]
That means I need to get confirmation for the GPG Key. Is there a way to
auto-accept?
Total size: 480 k
Is this ok [y/d/N]: y
Downloading packages:
warning:
/var/cache/yum/x86_64/7/elasticseach_curator_4/packages/python-setuptools-27.3.0-1.noarch.rpm:
Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY Retrieving key from
file:///etc/pki/rpm-gpg/GPG-KEY-elasticsearch
Importing GPG key 0xD88E42B4:
Userid : "Elasticsearch (Elasticsearch Signing Key)
<dev_...@elasticsearch.org>"
Fingerprint: 4609 5acc 8548 582c 1a26 99a9 d27d 666c d88e 42b4
>From : /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
Is this ok [y/N]:
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F53a8819a%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=Om%2FNVb4EuNFFQeuWgirYh3pmTFB5wOlP1btFbz9cHU4%3D&reserved=0>
------------------------------
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0
End of Spacewalk-list Digest, Vol 123, Issue 36
***********************************************
________________________________
Please note. The information contained in this message is confidential and is
intended only for the use of the individual named above and others who have
been specially authorized to receive it. If you are not the intended recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. The attachments have been scanned for
viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not
be liable for any consequences of any virus being passed on.
------------------------------
Message: 2
Date: Wed, 15 Aug 2018 13:39:50 +0200
From: Michael Calmer <m...@suse.de>
To: spacewalk-list@redhat.com
Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from
spacewalk not worked
Message-ID: <1761334.fggyKL0tM1@lesch>
Content-Type: text/plain; charset="iso-8859-1"
Hi
might also happen when spacewalk do not re-generate the metadata.
Look for /var/cache/rhn/repodata/<channel-label>/ and remove all files.
After this trigger a re-generation maybe with
$> spacecmd softwarechannel_regenerateyumcache <channel-label>
wait until the generation is finished (no .new files in the cache dir) and try
again.
Am Mittwoch, 15. August 2018, 12:33:56 CEST schrieb Flores, Javier (D4\INF\IT
ID):
> Hi,
>
> Have you already tried deleting the local caches (zypper clean -a) on your
> sles11sp4 server?
>
> Regards,
> Javier
>
> Von: spacewalk-list-boun...@redhat.com
> [mailto:spacewalk-list-boun...@redhat.com] Im Auftrag von
> suhail.siddi...@visitor.upm.com
> Gesendet: Mittwoch, 15. August 2018 12:03
> An: spacewalk-list@redhat.com
> Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not
> worked
>
> Hi ,
>
> Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to
> client its failed with not found , when I run zipper update on client its
> says no update available , however in spacewalk wen console its showing all
> critical and bug fix available.
>
> Please help me to fix this , I already remove the cache from spacewalk server
> for this repository and tried everything but it didn't worked.
>
>
> Thanks
> Suhail Siddiqui
>
>
> ________________________________
> Please note. The information contained in this message is confidential and is
> intended only for the use of the individual named above and others who have
> been specially authorized to receive it. If you are not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. The attachments have
> been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene
> Corporation shall not be liable for any consequences of any virus being
> passed on.
--
Regards
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: michael.cal...@suse.com
--------------------------------------------------------------------------
SUSE Linux GmbH, GF: Felix Imend?rffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N?rnberg)
------------------------------
Message: 3
Date: Wed, 15 Aug 2018 12:55:47 +0100
From: Raymond Setchfield <raymond.setchfi...@gmail.com>
To: spacewalk-list@redhat.com
Subject: [Spacewalk-list] Kickstart Templates - Import Error
Message-ID:
<capzefq5hrbxxzwajxjdvlwt1r8zjkbbgp74luctvbym3wao...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi
Still having difficulties with the kickstart template which I am importing.
I have received the following error;
# *** ERROR ***
#
# There is a templating error preventing this file from rendering
correctly.
#
# This is most likely not due to a bug in Cobbler and is something you can
fix.
#
# Look at the message below to see what things are causing problems.
#
# (1) Does the template file reference a $variable that is not defined?
# (2) is there a formatting error in a Cheetah directive?
# (3) Should dollar signs ($) be escaped that are not being escaped?
#
# Try fixing the problem and then investigate to see if this message goes
# away or changes.
#
#
# invalid syntax (<string>, line 1)
# File "/usr/lib/python2.7/site-packages/cobbler/templar.py", line 142,
in render
# data_out = t.respond()
#
# File
"cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line
559, in respond
#
# File
"cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line
91, in __errorCatcher4
#
I have attached the kickstart which I am attempting to import. Any help
would be greatly appreciated
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F28c1e81c%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=1aq0EGtcbay3lJ30k7ys8MGur19CnTBONDBPMZFitR0%3D&reserved=0>
-------------- next part --------------
# Kickstart Template Based on CIS (Centre for Internet Security)
# This kickstart conforms to the stardard on benchmark version 2.1.1
# Raymond Setchfield
# Date 13/08/18
#
install
lang en_GB.UTF-8
keyboard --vckeymap=uk --xlayouts='uk'
timezone Europe/London --isUtc
auth --useshadow --passalgo=sha512 # CIS 5.3.4
firewall --enabled
services --enabled=NetworkManager,sshd
eula --agreed
ignoredisk --only-use=sda
reboot
bootloader --location=mbr --append=" crashkernel=auto"
zerombr
clearpart --all --initlabel
part swap --asprimary --fstype="swap" --recommended
part /boot --fstype xfs --size=1024
part pv.01 --size=1 --grow
volgroup vg_root pv.01
logvol / --fstype xfs --name=root --vgname=vg_root --size=5120 --grow
# CIS 1.1.2-1.1.5
logvol /tmp --vgname vg_root --name tmp --size=500
--fsoptions="nodev,nosuid,noexec"
# CIS 1.1.11
logvol /var/log --vgname vg_root --name log --size=1024
# CIS 1.1.12
logvol /var/log/audit --vgname vg_root --name audit --size=1024
# CIS 1.1.13-1.1.14
logvol /home --vgname vg_root --name home --size=1024 --fsoptions="nodev"
rootpw yourpasswordhere
cdrom
%packages --ignoremissing
@core
aide # CIS 1.3.1
tcp_wrappers # CIS 3.4
rsyslog # CIS 4.2.1
#cronie-anacron
-setroubleshoot # CIS 1.6.1.4
-mcstrans # CIS 1.6.1.5
-telnet # CIS 2.3.4
-rsh-server # CIS 2.2.17
-rsh # CIS 2.3.2
-ypbind # CIS 2.1.1
-ypserv # CIS 2.2.16
-tftp # CIS 2.1.7
-tftp-server # CIS 2.2.20
-talk # CIS 2.3.3
-talk-server # CIS 2.2.18
-xinetd # CIS 2.1.7
-xorg-x11-server-common # CIS 2.2.2
-avahi-daemon # CIS 2.2.3
-cups # CIS 2.2.4
-dhcp # CIS 2.2.5
-openldap # CIS 2.2.6
%end
%post --log=/root/postinstall.log
###############################################################################
# /etc/fstab
# CIS 1.1.6 + 1.1.15-1.1.17
cat << EOF >> /etc/fstab
/tmp /var/tmp none bind 0 0
none /dev/shm tmpfs nosuid,nodev,noexec 0 0
EOF
###############################################################################
# Disable mounting of unneeded filesystems CIS 1.1.1 and CIS 3.5
cat << EOF >> /etc/modprobe.d/CIS.conf
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
EOF
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev
-type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release # CIS 1.2.3
systemctl enable firewalld # CIS 3.6
systemctl enable rsyslog # CIS 4.2.1.1
systemctl enable auditd # CIS 4.1.2
systemctl enable crond # CIS 5.1.1
# Set bootloader password # CIS 1.5.3
# qwe123#@!
cat << EOF2 >> /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
set superusers="bootuser"
password_pbkdf2 bootuser
grub.pbkdf2.sha512.10000.44D91DCFB72B53F27C58A4EAEBF29A210CB57469FB5CAA8935585856232A6CE70A2B58CE8BBAF7A9618848836F1793EC575AD1BF5959472D3AA5ECB6A05C92D2.89E0A18B9AB9080642209EAC8FC69CB988062579B68C27A16281900FFC79CE60AE1155409F78DDCFC92C40FF87A7C2F5A80899515B5CF9D15044E34658CBBD6B
EOF
EOF2
sed -i s/'^GRUB_CMDLINE_LINUX="'/'GRUB_CMDLINE_LINUX="audit=1 '/
/etc/default/grub # CIS 4.1.3
grub_cfg='/boot/grub2/grub.cfg'
grub2-mkconfig -o ${grub_cfg}
# Restrict Core Dumps # CIS 1.5.1
echo \* hard core 0 >> /etc/security/limits.conf
cat << EOF >> /etc/sysctl.conf
fs.suid_dumpable = 0 # CIS 1.5.1
kernel.randomize_va_space = 2 # CIS 1.5.3
net.ipv4.ip_forward = 0 # CIS 3.1.1
net.ipv4.conf.all.send_redirects = 0 # CIS 3.1.2
net.ipv4.conf.default.send_redirects = 0 # CIS 3.1.2
net.ipv4.conf.all.accept_source_route = 0 # CIS 3.2.1
net.ipv4.conf.default.accept_source_route = 0 # CIS 3.2.1
net.ipv4.conf.all.accept_redirects = 0 # CIS 3.2.2
net.ipv4.conf.default.accept_redirects = 0 # CIS 3.2.2
net.ipv4.conf.all.secure_redirects = 0 # CIS 23.2.3
net.ipv4.conf.default.secure_redirects = 0 # CIS 3.2.3
net.ipv4.conf.all.log_martians = 1 # CIS 3.2.4
net.ipv4.conf.default.log_martians = 1 # CIS 3.2.4
net.ipv4.icmp_echo_ignore_broadcasts = 1 # CIS 3.2.5
net.ipv4.icmp_ignore_bogus_error_responses = 1 # CIS 3.2.6
net.ipv4.conf.all.rp_filter = 1 # CIS 3.2.7
net.ipv4.conf.default.rp_filter = 1 # CIS 3.2.7
net.ipv4.tcp_syncookies = 1 # CIS 3.2.8
net.ipv6.conf.all.accept_ra = 0 # CIS 3.3.1
net.ipv6.conf.default.accept_ra = 0 # CIS 3.3.1
net.ipv6.conf.all.accept_redirect = 0 # CIS 3.3.2
net.ipv6.conf.default.accept_redirect = 0 # CIS 3.3.2
net.ipv6.conf.all.disable_ipv6 = 1 # CIS 3.3.3
EOF
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network
echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.d/ipv6.conf
cd /usr/lib/systemd/system
rm default.target
ln -s multi-user.target default.target
echo "ALL: ALL" >> /etc/hosts.deny # CIS 3.4.3
chown root:root /etc/hosts.deny # CIS 3.4.5
chmod 644 /etc/hosts.deny # CIS 3.4.5
chown root:root /etc/rsyslog.conf
chmod 600 /etc/rsyslog.conf
# CIS 4.2.1.2 - 4.2.1.3 Configure /etc/rsyslog.conf - This is environment
specific
cat << EOF >> /etc/rsyslog.conf
auth,user.* /var/log/user
kern.* /var/log/kern.log
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*
/var/log/unused.log
EOF
touch /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog
/var/log/unused.log
chmod og-rwx /var/log/user /var/log/kern.log /var/log/daemon.log
/var/log/syslog /var/log/unused.log
chown root:root /var/log/user /var/log/kern.log /var/log/daemon.log
/var/log/syslog /var/log/unused.log
# CIS 4.2.1.4 - 4.2.1.5 Configure rsyslog to Send Log to a Remote Log Host -
This is environment specific
auditd_conf='/etc/audit/auditd.conf'
# CIS 4.1.1.1 Configure Audit Log Storage Size
sed -i 's/^max_log_file .*$/max_log_file = 1024/' ${auditd_conf}
# CIS 4.1.1.2 Disable system on Audit Log Full - This is VERY environment
specific (and likely controversial)
sed -i 's/^space_left_action.*$/space_left_action = email/' ${auditd_conf}
sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' ${auditd_conf}
sed -i 's/^admin_space_left_action.*$/admin_space_left_action = halt/'
${auditd_conf}
# CIS 4.1.1.3 Keep All Auditing Information
sed -i 's/^max_log_file_action.*$/max_log_file_action = keep_logs/'
${auditd_conf}
# CIS 5.1.2-5.1.7
chown root:root /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily
/etc/cron.weekly /etc/cron.monthly /etc/cron.d
chmod 600 /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily
/etc/cron.weekly /etc/cron.monthly /etc/cron.d
# CIS 5.1.8
[[ -w /etc/at.deny ]] && rm /etc/at.deny
[[ -w /etc/cron.deny ]] && rm /etc/cron.deny
touch /etc/at.allow /etc/cron.allow
chown root:root /etc/at.allow /etc/cron.allow
chmod 600 /etc/at.allow /etc/cron.allow
# CIS 4.1.4 - 4.1.18
cat << EOF >> /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr
-S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295
-k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F
auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F
auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000
-F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000
-F auid!=4294967295 -k privileged
-e 2
EOF
sed -i "1 i /var/log/boot.log" /etc/logrotate.d/syslog # CIS
4.3
sshd_config='/etc/ssh/sshd_config'
chown root:root ${sshd_config} # CIS
5.2.1
chmod 600 ${sshd_config} # CIS
5.2.1
sed -i 's/\#Protocol/Protocol/' ${sshd_config} # CIS
5.2.2
sed -i 's/\#LogLevel/LogLevel/' ${sshd_config} # CIS
5.2.3
sed -i 's/X11Forwarding yes/X11Forwarding no/' ${sshd_config} # CIS
5.2.4
sed -i 's/\#MaxAuthTries 6/MaxAuthTries 4/' ${sshd_config} # CIS
5.2.5
sed -i 's/\#IgnoreRhosts yes/IgnoreRhosts yes/' ${sshd_config} # CIS
5.2.6
sed -i 's/\#HostbasedAuthentication no/HostbasedAuthentication no/'
${sshd_config} # CIS 5.2.7
sed -i 's/\#PermitRootLogin yes/PermitRootLogin no/' ${sshd_config} # CIS
5.2.8
sed -i 's/\#PermitEmptyPasswords no/PermitEmptyPasswords no/' ${sshd_config}
# CIS 5.2.9
sed -i 's/\#PermitUserEnvironment no/PermitUserEnvironment no/' ${sshd_config}
# CIS 5.2.10
line_num=$(grep -n "^\# Ciphers and keying" /etc/ssh/sshd_config | cut -d: -f1)
sed -i '${line_num} a MACs
hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160'
${sshd_config} # CIS 5.2.12
sed -i '${line_num} a Ciphers aes128-ctr,aes192-ctr,aes256-ctr'
/etc/ssh/sshd_config # CIS 5.2.11
sed -i 's/\#ClientAliveInterval 0/ClientAliveInterval 300/' ${sshd_config}
# CIS 5.2.13
sed -i 's/\#ClientAliveCountMax 3/ClientAliveCountMax 0/' ${sshd_config}
# CIS 5.2.13
sed -i 's/\#LoginGraceTime 2m/LoginGraceTime 60/' ${sshd_config} # CIS
5.2.14
sed -i 's/\#Banner none/Banner \/etc\/issue\.net/' ${sshd_config} # CIS
5.2.16
# CIS 5.3.1
pwqual='/etc/security/pwquality.conf'
sed -i 's/^# minlen =.*$/minlen = 14/' ${pwqual}
sed -i 's/^# dcredit =.*$/dcredit = -1/' ${pwqual}
sed -i 's/^# ucredit =.*$/ucredit = -1/' ${pwqual}
sed -i 's/^# ocredit =.*$/ocredit = -1/' ${pwqual}
sed -i 's/^# lcredit =.*$/lcredit = -1/' ${pwqual}
# CIS 5.3.2
content="$(egrep -v "^#|^auth" /etc/pam.d/password-auth)"
echo -e "auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth required pam_deny.so\n$content" > /etc/pam.d/password-auth
content="$(egrep -v "^#|^auth" /etc/pam.d/system-auth)"
echo -e "auth required pam_env.so
auth sufficient pam_unix.so remember=5
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth required pam_deny.so\n$content" > /etc/pam.d/system-auth
# CIS 5.3.3
line_num="$(grep -n "^password[[:space:]]*sufficient[[:space:]]*pam_unix.so*"
/etc/pam.d/system-auth | cut -d: -f1)"
sed -n "$line_num p" system-auth | grep remember || sed "${line_num} s/$/
remember=5/" /etc/pam.d/system-auth
login_defs=/etc/login.defs
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' ${login_defs} # CIS
5.4.1.1
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/' ${login_defs} # CIS
5.4.1.2
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/' ${login_defs} # CIS
5.4.1.3
root_gid="$(id -g root)"
if [[ "${root_gid}" -ne 0 ]] ; then
usermod -g 0 root # CIS
5.4.3
fi
# CIS 5.4.4
bashrc='/etc/bashrc'
#first umask cmd sets it for users, second umask cmd sets it for system
reserved uids
#we want to alter the first one
line_num=$(grep -n "^[[:space:]]*umask" '/etc/bashrc' | head -1 | cut -d: -f1)
sed -i ${line_num}s/002/027/ '/etc/bashrc'
bashprofile='/etc/profile'
line_num=$(grep -n "^[[:space:]]*umask" '/etc/profile' | head -1 | cut -d: -f1)
sed -i ${line_num}s/002/027/ '/etc/profile'
# CIS 5.5
cp /etc/securetty /etc/securetty.orig
#> /etc/securetty
cat << EOF > /etc/securetty
console
tty1
EOF
# CIS 5.6
pam_su='/etc/pam.d/su'
line_num="$(grep -n
"^\#auth[[:space:]]*required[[:space:]]*pam_wheel.so[[:space:]]*use_uid"
'/etc/pam.d/su' | cut -d: -f1)"
sed -i "${line_num} a auth required pam_wheel.so use_uid"
'/etc/pam.d/su'
usermod -G wheel root
[[ -w /etc/issue ]] && rm /etc/issue
[[ -w /etc/issue.net ]] && rm /etc/issue.net
touch /etc/issue /etc/issue.net
chown root:root /etc/issue /etc/issue.net
chmod 644 /etc/issue /etc/issue.net
chown root:root ${grub_cfg} # CIS 1.4.1
chmod 600 ${grub_cfg}
chmod 644 /etc/passwd # CIS 6.1.2
chown root:root /etc/passwd
chmod 000 /etc/shadow # CIS 6.1.3
chown root:root /etc/shadow
chmod 644 /etc/group # CIS 6.1.4
chown root:root /etc/group
chmod 000 /etc/gshadow # CIS 6.1.5
chown root:root /etc/gshadow
# Install AIDE # CIS 1.3.2
echo "0 5 * * * /usr/sbin/aide --check" >> /var/spool/cron/root
#Initialise last so it doesn't pick up changes made by the post-install of the
KS
/usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
%end
------------------------------
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0
End of Spacewalk-list Digest, Vol 123, Issue 37
***********************************************
________________________________
Please note. The information contained in this message is confidential and is
intended only for the use of the individual named above and others who have
been specially authorized to receive it. If you are not the intended recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. The attachments have been scanned for
viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not
be liable for any consequences of any virus being passed on.
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
