Hi , I tried this command but end with syntex error.
$> spacecmd softwarechannel_regenerateyumcache <channel-label> I think this option not available with this spacecmd "softwarechannel_regenerateyumcache" Best Regards, Suhail Siddiqui ________________________________ From: spacewalk-list-requ...@redhat.com Sent: Wednesday, August 15, 2018 5:26 PM To: spacewalk-list@redhat.com Subject: Spacewalk-list Digest, Vol 123, Issue 37 Send Spacewalk-list mailing list submissions to spacewalk-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0 or, via email, send a message with subject or body 'help' to spacewalk-list-requ...@redhat.com You can reach the person managing the list at spacewalk-list-ow...@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Spacewalk-list digest..." Today's Topics: 1. Re: Spacewalk-list Digest, Vol 123, Issue 36 (suhail.siddi...@visitor.upm.com) 2. Re: only SUSE 11 SP4 update pkg push from spacewalk not worked (Michael Calmer) 3. Kickstart Templates - Import Error (Raymond Setchfield) ---------------------------------------------------------------------- Message: 1 Date: Wed, 15 Aug 2018 11:38:25 +0000 From: <suhail.siddi...@visitor.upm.com> To: <spacewalk-list@redhat.com> Subject: Re: [Spacewalk-list] Spacewalk-list Digest, Vol 123, Issue 36 Message-ID: <71d8cffcd5454ddda5d0237a6daef...@am3pr3701mb0036.054d.mgd.msft.net> Content-Type: text/plain; charset="us-ascii" Yes , I have checked that but didn't work , also when I run zipper dup , it is showing so many updated and when I installed updated using dup , and reboot the servers nothing change and every update still available as it is . Also when I used different repository from SMT server and run zipper update its show all available and update install and working. Best Regards, Suhail Siddiqui -----Original Message----- From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> On Behalf Of spacewalk-list-requ...@redhat.com Sent: 15 August 2018 14:09 To: spacewalk-list@redhat.com Subject: Spacewalk-list Digest, Vol 123, Issue 36 Send Spacewalk-list mailing list submissions to spacewalk-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=VFmQWcF47G8sizjj9IatDPCqEwEGnwFFwrCaonDzVXg%3D&reserved=0 or, via email, send a message with subject or body 'help' to spacewalk-list-requ...@redhat.com You can reach the person managing the list at spacewalk-list-ow...@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Spacewalk-list digest..." Today's Topics: 1. only SUSE 11 SP4 update pkg push from spacewalknot worked (suhail.siddi...@visitor.upm.com) 2. Re: only SUSE 11 SP4 update pkg push from spacewalknot worked (Flores, Javier (D4\INF\IT ID)) 3. Autoaccpet GPG Key (Joaquin Henriquez) ---------------------------------------------------------------------- Message: 1 Date: Wed, 15 Aug 2018 10:03:09 +0000 From: <suhail.siddi...@visitor.upm.com> To: <spacewalk-list@redhat.com> Subject: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalknot worked Message-ID: <a3d49183d79f47cf8bfd5611b7ae7...@he1pr3701mb0043.054d.mgd.msft.net> Content-Type: text/plain; charset="us-ascii" Hi , Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to client its failed with not found , when I run zipper update on client its says no update available , however in spacewalk wen console its showing all critical and bug fix available. Please help me to fix this , I already remove the cache from spacewalk server for this repository and tried everything but it didn't worked. Thanks Suhail Siddiqui ________________________________ Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2Fc63a9039%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963676052&sdata=GehGwu3ohEMMKI1JbspTIeO%2BW047CvYOlvPSU%2FZMbAo%3D&reserved=0> ------------------------------ Message: 2 Date: Wed, 15 Aug 2018 10:33:56 +0000 From: "Flores, Javier (D4\\INF\\IT ID)" <javier.flo...@gmz.migros.ch> To: "'spacewalk-list@redhat.com'" <spacewalk-list@redhat.com> Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalknot worked Message-ID: <49ec69e1c8cbc144a57bfc099d35eb01c7d48...@hnexm01b.datacenter-migros.ch> Content-Type: text/plain; charset="us-ascii" Hi, Have you already tried deleting the local caches (zypper clean -a) on your sles11sp4 server? Regards, Javier Von: spacewalk-list-boun...@redhat.com [mailto:spacewalk-list-boun...@redhat.com] Im Auftrag von suhail.siddi...@visitor.upm.com Gesendet: Mittwoch, 15. August 2018 12:03 An: spacewalk-list@redhat.com Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not worked Hi , Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to client its failed with not found , when I run zipper update on client its says no update available , however in spacewalk wen console its showing all critical and bug fix available. Please help me to fix this , I already remove the cache from spacewalk server for this repository and tried everything but it didn't worked. Thanks Suhail Siddiqui ________________________________ Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F6815a87f%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=JyE%2FNJs1VavTlmsZjJtyKcktqBnL4dAUMdijSwdQpjA%3D&reserved=0> ------------------------------ Message: 3 Date: Wed, 15 Aug 2018 11:08:25 +0000 From: Joaquin Henriquez <joaquin.henriq...@countercept.com> To: "spacewalk-list@redhat.com" <spacewalk-list@redhat.com> Subject: [Spacewalk-list] Autoaccpet GPG Key Message-ID: <43d78a66e0934b57aa51396a44190...@bskexch2013hypv.mwrinfosecurity.com> Content-Type: text/plain; charset="windows-1252" Hi Guys When configuring the GPG of the channel I put the file:///etc/pki/rpm/GPG-KEY<file:///\\etc\pki\rpm\GPG-KEY>, KEY-ID and Fingerprint. When updating a client it take the file form that path. ERROR: Error while executing packages action: Refusing to automatically import keys when running unattended. [[6]] That means I need to get confirmation for the GPG Key. Is there a way to auto-accept? Total size: 480 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/7/elasticseach_curator_4/packages/python-setuptools-27.3.0-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/GPG-KEY-elasticsearch Importing GPG key 0xD88E42B4: Userid : "Elasticsearch (Elasticsearch Signing Key) <dev_...@elasticsearch.org>" Fingerprint: 4609 5acc 8548 582c 1a26 99a9 d27d 666c d88e 42b4 >From : /etc/pki/rpm-gpg/GPG-KEY-elasticsearch Is this ok [y/N]: -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F53a8819a%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=Om%2FNVb4EuNFFQeuWgirYh3pmTFB5wOlP1btFbz9cHU4%3D&reserved=0> ------------------------------ _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0 End of Spacewalk-list Digest, Vol 123, Issue 36 *********************************************** ________________________________ Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on. ------------------------------ Message: 2 Date: Wed, 15 Aug 2018 13:39:50 +0200 From: Michael Calmer <m...@suse.de> To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not worked Message-ID: <1761334.fggyKL0tM1@lesch> Content-Type: text/plain; charset="iso-8859-1" Hi might also happen when spacewalk do not re-generate the metadata. Look for /var/cache/rhn/repodata/<channel-label>/ and remove all files. After this trigger a re-generation maybe with $> spacecmd softwarechannel_regenerateyumcache <channel-label> wait until the generation is finished (no .new files in the cache dir) and try again. Am Mittwoch, 15. August 2018, 12:33:56 CEST schrieb Flores, Javier (D4\INF\IT ID): > Hi, > > Have you already tried deleting the local caches (zypper clean -a) on your > sles11sp4 server? > > Regards, > Javier > > Von: spacewalk-list-boun...@redhat.com > [mailto:spacewalk-list-boun...@redhat.com] Im Auftrag von > suhail.siddi...@visitor.upm.com > Gesendet: Mittwoch, 15. August 2018 12:03 > An: spacewalk-list@redhat.com > Betreff: [Spacewalk-list] only SUSE 11 SP4 update pkg push from spacewalk not > worked > > Hi , > > Only SUSE 11 SP4 having this issue when I push pkg update from spacewalk to > client its failed with not found , when I run zipper update on client its > says no update available , however in spacewalk wen console its showing all > critical and bug fix available. > > Please help me to fix this , I already remove the cache from spacewalk server > for this repository and tried everything but it didn't worked. > > > Thanks > Suhail Siddiqui > > > ________________________________ > Please note. The information contained in this message is confidential and is > intended only for the use of the individual named above and others who have > been specially authorized to receive it. If you are not the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. The attachments have > been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene > Corporation shall not be liable for any consequences of any virus being > passed on. -- Regards Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: michael.cal...@suse.com -------------------------------------------------------------------------- SUSE Linux GmbH, GF: Felix Imend?rffer, Jane Smithard, Graham Norton, HRB 21284 (AG N?rnberg) ------------------------------ Message: 3 Date: Wed, 15 Aug 2018 12:55:47 +0100 From: Raymond Setchfield <raymond.setchfi...@gmail.com> To: spacewalk-list@redhat.com Subject: [Spacewalk-list] Kickstart Templates - Import Error Message-ID: <capzefq5hrbxxzwajxjdvlwt1r8zjkbbgp74luctvbym3wao...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Hi Still having difficulties with the kickstart template which I am importing. I have received the following error; # *** ERROR *** # # There is a templating error preventing this file from rendering correctly. # # This is most likely not due to a bug in Cobbler and is something you can fix. # # Look at the message below to see what things are causing problems. # # (1) Does the template file reference a $variable that is not defined? # (2) is there a formatting error in a Cheetah directive? # (3) Should dollar signs ($) be escaped that are not being escaped? # # Try fixing the problem and then investigate to see if this message goes # away or changes. # # # invalid syntax (<string>, line 1) # File "/usr/lib/python2.7/site-packages/cobbler/templar.py", line 142, in render # data_out = t.respond() # # File "cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line 559, in respond # # File "cheetah_DynamicallyCompiledCheetahTemplate_1534333865_22_95256.py", line 91, in __errorCatcher4 # I have attached the kickstart which I am attempting to import. Any help would be greatly appreciated Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Farchives%2Fspacewalk-list%2Fattachments%2F20180815%2F28c1e81c%2Fattachment.html&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=1aq0EGtcbay3lJ30k7ys8MGur19CnTBONDBPMZFitR0%3D&reserved=0> -------------- next part -------------- # Kickstart Template Based on CIS (Centre for Internet Security) # This kickstart conforms to the stardard on benchmark version 2.1.1 # Raymond Setchfield # Date 13/08/18 # install lang en_GB.UTF-8 keyboard --vckeymap=uk --xlayouts='uk' timezone Europe/London --isUtc auth --useshadow --passalgo=sha512 # CIS 5.3.4 firewall --enabled services --enabled=NetworkManager,sshd eula --agreed ignoredisk --only-use=sda reboot bootloader --location=mbr --append=" crashkernel=auto" zerombr clearpart --all --initlabel part swap --asprimary --fstype="swap" --recommended part /boot --fstype xfs --size=1024 part pv.01 --size=1 --grow volgroup vg_root pv.01 logvol / --fstype xfs --name=root --vgname=vg_root --size=5120 --grow # CIS 1.1.2-1.1.5 logvol /tmp --vgname vg_root --name tmp --size=500 --fsoptions="nodev,nosuid,noexec" # CIS 1.1.11 logvol /var/log --vgname vg_root --name log --size=1024 # CIS 1.1.12 logvol /var/log/audit --vgname vg_root --name audit --size=1024 # CIS 1.1.13-1.1.14 logvol /home --vgname vg_root --name home --size=1024 --fsoptions="nodev" rootpw yourpasswordhere cdrom %packages --ignoremissing @core aide # CIS 1.3.1 tcp_wrappers # CIS 3.4 rsyslog # CIS 4.2.1 #cronie-anacron -setroubleshoot # CIS 1.6.1.4 -mcstrans # CIS 1.6.1.5 -telnet # CIS 2.3.4 -rsh-server # CIS 2.2.17 -rsh # CIS 2.3.2 -ypbind # CIS 2.1.1 -ypserv # CIS 2.2.16 -tftp # CIS 2.1.7 -tftp-server # CIS 2.2.20 -talk # CIS 2.3.3 -talk-server # CIS 2.2.18 -xinetd # CIS 2.1.7 -xorg-x11-server-common # CIS 2.2.2 -avahi-daemon # CIS 2.2.3 -cups # CIS 2.2.4 -dhcp # CIS 2.2.5 -openldap # CIS 2.2.6 %end %post --log=/root/postinstall.log ############################################################################### # /etc/fstab # CIS 1.1.6 + 1.1.15-1.1.17 cat << EOF >> /etc/fstab /tmp /var/tmp none bind 0 0 none /dev/shm tmpfs nosuid,nodev,noexec 0 0 EOF ############################################################################### # Disable mounting of unneeded filesystems CIS 1.1.1 and CIS 3.5 cat << EOF >> /etc/modprobe.d/CIS.conf install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true EOF df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release # CIS 1.2.3 systemctl enable firewalld # CIS 3.6 systemctl enable rsyslog # CIS 4.2.1.1 systemctl enable auditd # CIS 4.1.2 systemctl enable crond # CIS 5.1.1 # Set bootloader password # CIS 1.5.3 # qwe123#@! cat << EOF2 >> /etc/grub.d/01_users #!/bin/sh -e cat << EOF set superusers="bootuser" password_pbkdf2 bootuser grub.pbkdf2.sha512.10000.44D91DCFB72B53F27C58A4EAEBF29A210CB57469FB5CAA8935585856232A6CE70A2B58CE8BBAF7A9618848836F1793EC575AD1BF5959472D3AA5ECB6A05C92D2.89E0A18B9AB9080642209EAC8FC69CB988062579B68C27A16281900FFC79CE60AE1155409F78DDCFC92C40FF87A7C2F5A80899515B5CF9D15044E34658CBBD6B EOF EOF2 sed -i s/'^GRUB_CMDLINE_LINUX="'/'GRUB_CMDLINE_LINUX="audit=1 '/ /etc/default/grub # CIS 4.1.3 grub_cfg='/boot/grub2/grub.cfg' grub2-mkconfig -o ${grub_cfg} # Restrict Core Dumps # CIS 1.5.1 echo \* hard core 0 >> /etc/security/limits.conf cat << EOF >> /etc/sysctl.conf fs.suid_dumpable = 0 # CIS 1.5.1 kernel.randomize_va_space = 2 # CIS 1.5.3 net.ipv4.ip_forward = 0 # CIS 3.1.1 net.ipv4.conf.all.send_redirects = 0 # CIS 3.1.2 net.ipv4.conf.default.send_redirects = 0 # CIS 3.1.2 net.ipv4.conf.all.accept_source_route = 0 # CIS 3.2.1 net.ipv4.conf.default.accept_source_route = 0 # CIS 3.2.1 net.ipv4.conf.all.accept_redirects = 0 # CIS 3.2.2 net.ipv4.conf.default.accept_redirects = 0 # CIS 3.2.2 net.ipv4.conf.all.secure_redirects = 0 # CIS 23.2.3 net.ipv4.conf.default.secure_redirects = 0 # CIS 3.2.3 net.ipv4.conf.all.log_martians = 1 # CIS 3.2.4 net.ipv4.conf.default.log_martians = 1 # CIS 3.2.4 net.ipv4.icmp_echo_ignore_broadcasts = 1 # CIS 3.2.5 net.ipv4.icmp_ignore_bogus_error_responses = 1 # CIS 3.2.6 net.ipv4.conf.all.rp_filter = 1 # CIS 3.2.7 net.ipv4.conf.default.rp_filter = 1 # CIS 3.2.7 net.ipv4.tcp_syncookies = 1 # CIS 3.2.8 net.ipv6.conf.all.accept_ra = 0 # CIS 3.3.1 net.ipv6.conf.default.accept_ra = 0 # CIS 3.3.1 net.ipv6.conf.all.accept_redirect = 0 # CIS 3.3.2 net.ipv6.conf.default.accept_redirect = 0 # CIS 3.3.2 net.ipv6.conf.all.disable_ipv6 = 1 # CIS 3.3.3 EOF echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network echo "IPV6INIT=no" >> /etc/sysconfig/network echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.d/ipv6.conf cd /usr/lib/systemd/system rm default.target ln -s multi-user.target default.target echo "ALL: ALL" >> /etc/hosts.deny # CIS 3.4.3 chown root:root /etc/hosts.deny # CIS 3.4.5 chmod 644 /etc/hosts.deny # CIS 3.4.5 chown root:root /etc/rsyslog.conf chmod 600 /etc/rsyslog.conf # CIS 4.2.1.2 - 4.2.1.3 Configure /etc/rsyslog.conf - This is environment specific cat << EOF >> /etc/rsyslog.conf auth,user.* /var/log/user kern.* /var/log/kern.log daemon.* /var/log/daemon.log syslog.* /var/log/syslog lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log EOF touch /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log chmod og-rwx /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log chown root:root /var/log/user /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log # CIS 4.2.1.4 - 4.2.1.5 Configure rsyslog to Send Log to a Remote Log Host - This is environment specific auditd_conf='/etc/audit/auditd.conf' # CIS 4.1.1.1 Configure Audit Log Storage Size sed -i 's/^max_log_file .*$/max_log_file = 1024/' ${auditd_conf} # CIS 4.1.1.2 Disable system on Audit Log Full - This is VERY environment specific (and likely controversial) sed -i 's/^space_left_action.*$/space_left_action = email/' ${auditd_conf} sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' ${auditd_conf} sed -i 's/^admin_space_left_action.*$/admin_space_left_action = halt/' ${auditd_conf} # CIS 4.1.1.3 Keep All Auditing Information sed -i 's/^max_log_file_action.*$/max_log_file_action = keep_logs/' ${auditd_conf} # CIS 5.1.2-5.1.7 chown root:root /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d chmod 600 /etc/anacrontab /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d # CIS 5.1.8 [[ -w /etc/at.deny ]] && rm /etc/at.deny [[ -w /etc/cron.deny ]] && rm /etc/cron.deny touch /etc/at.allow /etc/cron.allow chown root:root /etc/at.allow /etc/cron.allow chmod 600 /etc/at.allow /etc/cron.allow # CIS 4.1.4 - 4.1.18 cat << EOF >> /etc/audit/rules.d/audit.rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/selinux/ -p wa -k MAC-policy -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope -w /var/log/sudo.log -p wa -k actions -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -e 2 EOF sed -i "1 i /var/log/boot.log" /etc/logrotate.d/syslog # CIS 4.3 sshd_config='/etc/ssh/sshd_config' chown root:root ${sshd_config} # CIS 5.2.1 chmod 600 ${sshd_config} # CIS 5.2.1 sed -i 's/\#Protocol/Protocol/' ${sshd_config} # CIS 5.2.2 sed -i 's/\#LogLevel/LogLevel/' ${sshd_config} # CIS 5.2.3 sed -i 's/X11Forwarding yes/X11Forwarding no/' ${sshd_config} # CIS 5.2.4 sed -i 's/\#MaxAuthTries 6/MaxAuthTries 4/' ${sshd_config} # CIS 5.2.5 sed -i 's/\#IgnoreRhosts yes/IgnoreRhosts yes/' ${sshd_config} # CIS 5.2.6 sed -i 's/\#HostbasedAuthentication no/HostbasedAuthentication no/' ${sshd_config} # CIS 5.2.7 sed -i 's/\#PermitRootLogin yes/PermitRootLogin no/' ${sshd_config} # CIS 5.2.8 sed -i 's/\#PermitEmptyPasswords no/PermitEmptyPasswords no/' ${sshd_config} # CIS 5.2.9 sed -i 's/\#PermitUserEnvironment no/PermitUserEnvironment no/' ${sshd_config} # CIS 5.2.10 line_num=$(grep -n "^\# Ciphers and keying" /etc/ssh/sshd_config | cut -d: -f1) sed -i '${line_num} a MACs hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' ${sshd_config} # CIS 5.2.12 sed -i '${line_num} a Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_config # CIS 5.2.11 sed -i 's/\#ClientAliveInterval 0/ClientAliveInterval 300/' ${sshd_config} # CIS 5.2.13 sed -i 's/\#ClientAliveCountMax 3/ClientAliveCountMax 0/' ${sshd_config} # CIS 5.2.13 sed -i 's/\#LoginGraceTime 2m/LoginGraceTime 60/' ${sshd_config} # CIS 5.2.14 sed -i 's/\#Banner none/Banner \/etc\/issue\.net/' ${sshd_config} # CIS 5.2.16 # CIS 5.3.1 pwqual='/etc/security/pwquality.conf' sed -i 's/^# minlen =.*$/minlen = 14/' ${pwqual} sed -i 's/^# dcredit =.*$/dcredit = -1/' ${pwqual} sed -i 's/^# ucredit =.*$/ucredit = -1/' ${pwqual} sed -i 's/^# ocredit =.*$/ocredit = -1/' ${pwqual} sed -i 's/^# lcredit =.*$/lcredit = -1/' ${pwqual} # CIS 5.3.2 content="$(egrep -v "^#|^auth" /etc/pam.d/password-auth)" echo -e "auth required pam_env.so auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 auth required pam_deny.so\n$content" > /etc/pam.d/password-auth content="$(egrep -v "^#|^auth" /etc/pam.d/system-auth)" echo -e "auth required pam_env.so auth sufficient pam_unix.so remember=5 auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 auth required pam_deny.so\n$content" > /etc/pam.d/system-auth # CIS 5.3.3 line_num="$(grep -n "^password[[:space:]]*sufficient[[:space:]]*pam_unix.so*" /etc/pam.d/system-auth | cut -d: -f1)" sed -n "$line_num p" system-auth | grep remember || sed "${line_num} s/$/ remember=5/" /etc/pam.d/system-auth login_defs=/etc/login.defs sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' ${login_defs} # CIS 5.4.1.1 sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/' ${login_defs} # CIS 5.4.1.2 sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/' ${login_defs} # CIS 5.4.1.3 root_gid="$(id -g root)" if [[ "${root_gid}" -ne 0 ]] ; then usermod -g 0 root # CIS 5.4.3 fi # CIS 5.4.4 bashrc='/etc/bashrc' #first umask cmd sets it for users, second umask cmd sets it for system reserved uids #we want to alter the first one line_num=$(grep -n "^[[:space:]]*umask" '/etc/bashrc' | head -1 | cut -d: -f1) sed -i ${line_num}s/002/027/ '/etc/bashrc' bashprofile='/etc/profile' line_num=$(grep -n "^[[:space:]]*umask" '/etc/profile' | head -1 | cut -d: -f1) sed -i ${line_num}s/002/027/ '/etc/profile' # CIS 5.5 cp /etc/securetty /etc/securetty.orig #> /etc/securetty cat << EOF > /etc/securetty console tty1 EOF # CIS 5.6 pam_su='/etc/pam.d/su' line_num="$(grep -n "^\#auth[[:space:]]*required[[:space:]]*pam_wheel.so[[:space:]]*use_uid" '/etc/pam.d/su' | cut -d: -f1)" sed -i "${line_num} a auth required pam_wheel.so use_uid" '/etc/pam.d/su' usermod -G wheel root [[ -w /etc/issue ]] && rm /etc/issue [[ -w /etc/issue.net ]] && rm /etc/issue.net touch /etc/issue /etc/issue.net chown root:root /etc/issue /etc/issue.net chmod 644 /etc/issue /etc/issue.net chown root:root ${grub_cfg} # CIS 1.4.1 chmod 600 ${grub_cfg} chmod 644 /etc/passwd # CIS 6.1.2 chown root:root /etc/passwd chmod 000 /etc/shadow # CIS 6.1.3 chown root:root /etc/shadow chmod 644 /etc/group # CIS 6.1.4 chown root:root /etc/group chmod 000 /etc/gshadow # CIS 6.1.5 chown root:root /etc/gshadow # Install AIDE # CIS 1.3.2 echo "0 5 * * * /usr/sbin/aide --check" >> /var/spool/cron/root #Initialise last so it doesn't pick up changes made by the post-install of the KS /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' %end ------------------------------ _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cv766245%40mgd.upm.com%7C29bffca29e7042f881aa08d602a625f5%7C9eab37f091c647e39c00fe8544bd272e%7C1%7C0%7C636699309963686060&sdata=B8WvddHhqNtvvtarsS%2BUoLjJKDQsjdvH8j7IFrdlJVs%3D&reserved=0 End of Spacewalk-list Digest, Vol 123, Issue 37 *********************************************** ________________________________ Please note. The information contained in this message is confidential and is intended only for the use of the individual named above and others who have been specially authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. The attachments have been scanned for viruses prior to leaving our E-mail system. UPM-Kymmene Corporation shall not be liable for any consequences of any virus being passed on.
_______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list