DevNet

From DER's LLC
Revision as of 19:40, 2 June 2023 by Admin (talk | contribs) (Created page with "= Spacewalk Documentation = == Lockdown Scripts == #raw printf " Locking Down CentOS 7: " /bin/bash /tmp/status.sh & echo 'CCE-27053-8 - Set Password Hashing Algorithm in /etc/libuser.conf' >> /root/ks-lockdown.log sed -i 's~crypt_style.*~crypt_style = sha512~' /etc/libuser.conf yum -y remove vasclnt &> /dev/null yum -y install clamav &> /dev/null echo 'Installing oscap' >> /root/ks-lockdown.log yum -y...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Spacewalk Documentation

Lockdown Scripts

#raw
printf " Locking Down CentOS 7:                                                      "
/bin/bash /tmp/status.sh & 

echo 'CCE-27053-8 - Set Password Hashing Algorithm in /etc/libuser.conf' >> /root/ks-lockdown.log
sed -i 's~crypt_style.*~crypt_style = sha512~' /etc/libuser.conf 

yum -y remove vasclnt &> /dev/null
yum -y install clamav &> /dev/null

echo 'Installing oscap' >> /root/ks-lockdown.log
yum -y --nogpgcheck install spacewalk-oscap scap-security-guide &>>  /root/ks-lockdown.log
sed -i '/<platform idref="cpe:\/o:redhat:enterprise_linux:7"\/>/a \ \ <platform idref="cpe:\/o:centos:centos:7" \/>'  /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
#sed -i 's~idref="audit_rules_privileged_commands" selected=".*"~idref="audit_rules_privileged_commands" selected="false"~'  /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
/usr/bin/oscap xccdf eval --profile stig-rhel7-server-upstream --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml &>>  /root/ks-lockdown.log
sed -i "s/MACs/\\nMACs/" /etc/ssh/sshd_config 
/usr/bin/oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results --results ssg-rhel7-xccdf.xml.result.xml  /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml &>>  /root/ks-lockdown.log
/usr/bin/oscap xccdf generate report --oval-template ssg-rhel7-oval.xml.result.xml ssg-rhel7-xccdf.xml.result.xml > /root/stig-report-xccdf-oval.html

echo 'CVE-2004-1653' >> /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "\#AllowTcpForwarding yes" && sed -i 's/\#AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2004-1653 (1 of 2) Already complete' /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "AllowTcpForwarding yes" && sed -i 's/AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2004-1653 (2 of 2)Already complete' /root/ks-lockdown.log

echo 'CVE-2007-2243' >> /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "\#ChallengeResponseAuthentication yes" && sed -i 's/\#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2007-2243 (1 of 2) Already complete' /root/ks-lockdown.log 
cat /etc/ssh/sshd_config | grep -q "ChallengeResponseAuthentication yes" && sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2007-2243 (2 of 2) Already complete' /root/ks-lockdown.log 

STATUSPID=`ps -ef | grep status| egrep -v grep | head -1 | awk '{print $2}'`
kill $STATUSPID
printf "\b\b\b\b\b\b\b\b"
echo -e "[  \e[1;32mOK\e[0;39m  ]"
#end raw

https://copr-be.cloud.fedoraproject.org/results/openscapmaint/openscap-latest/epel-7-x86_64/

Spacewalk Installation Instructions

Installing Spacewalk

How-to

Joining a Client (Centos 6) to Spacewalk

On the Client as root, run: 

mkdir reg-rpms
cd reg-rpms
wget http://spacewalk/pub/register/rhn-check-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/rhn-client-tools-2.2.7-1.el6.noarch.rpm  http://spacewalk/pub/register/rhn-setup-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-actions-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-client-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhnsd-5.0.14-1.el6.x86_64.rpm http://spacewalk/pub/register/yum-rhn-plugin-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/m2crypto-0.20.2-9.el6.x86_64.rpm http://spacewalk/pub/register/python-dmidecode-3.10.13-3.el6_4.x86_64.rpm http://spacewalk/pub/register/python-gudev-147.1-4.el6_0.1.x86_64.rpm http://spacewalk/pub/register/python-hwdata-1.7.3-1.el6.noarch.rpm 
yum -y localinstall rhn-setup-2.2.7-1.el6.noarch.rpm rhnsd-5.0.14-1.el6.x86_64.rpm rhn-check-2.2.7-1.el6.noarch.rpm rhn-client-tools-2.2.7-1.el6.noarch.rpm yum-rhn-plugin-2.2.7-1.el6.noarch.rpm m2crypto-0.20.2-9.el6.x86_64.rpm python-dmidecode-3.10.13-3.el6_4.x86_64.rpm python-hwdata-1.7.3-1.el6.noarch.rpm python-gudev-147.1-4.el6_0.1.x86_64.rpm
cd ..
rm -rf reg-rpms
mkdir keys
cd keys
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2014 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2012 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2010 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2008
rpm --import *
cd ..
rm -rf keys/
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/run
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all
mkdir -p /usr/share/rhn/
wget http://spacewalk.devnet.prv/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT   
perl -npe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/*
rhnreg_ks --serverUrl=https://spacewalk.devnet.prv/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-97d994ea86b8f4ce665d6ef01546834b,1-centos6

Joining a Client (Centos 7) to Spacewalk

On the Client as root, run: 

mkdir reg-rpms
cd reg-rpms
wget http://spacewalk/pub/register/centos7/jabberpy-0.5-0.27.el7.noarch.rpm http://spacewalk/pub/register/centos7/osad-5.11.57-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/python-hwdata-1.7.3-4.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-actions-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-client-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhn-check-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhn-client-tools-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhnsd-5.0.15-1.el7.x86_64.rpm http://spacewalk/pub/register/centos7/rhn-setup-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/yum-rhn-plugin-2.3.3-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/osa-common-5.11.57-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhnlib-2.5.75-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/systemd-sysv-208-20.el7.x86_64.rpm http://spacewalk/pub/register/centos7/systemd-208-20.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-2.7.5-16.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libnl-1.1.4-3.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm http://spacewalk/pub/register/centos7/m2crypto-0.21.1-15.el7.x86_64.rpm http://spacewalk/pub/register/centos7/pygobject2-2.28.6-11.el7.x86_64.rpm http://spacewalk/pub/register/centos7/pyOpenSSL-0.13.1-3.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-dmidecode-3.10.13-11.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-ethtool-0.8-5.el7.x86_64.rpm http://spacewalk/pub/register/centos7/usermode-1.111-5.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-gudev-147.2-7.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm
yum -y localinstall jabberpy-0.5-0.27.el7.noarch.rpm python-hwdata-1.7.3-4.el7.noarch.rpm rhncfg-actions-5.10.83-1.el7.noarch.rpm rhn-check-2.3.16-1.el7.noarch.rpm rhnsd-5.0.15-1.el7.x86_64.rpm yum-rhn-plugin-2.3.3-1.el7.noarch.rpm osad-5.11.57-1.el7.noarch.rpm rhncfg-5.10.83-1.el7.noarch.rpm rhncfg-client-5.10.83-1.el7.noarch.rpm rhn-client-tools-2.3.16-1.el7.noarch.rpm rhn-setup-2.3.16-1.el7.noarch.rpm systemd-sysv-208-20.el7.x86_64.rpm rhnlib-2.5.75-1.el7.noarch.rpm osa-common-5.11.57-1.el7.noarch.rpm libnl-1.1.4-3.el7.x86_64.rpm m2crypto-0.21.1-15.el7.x86_64.rpm pygobject2-2.28.6-11.el7.x86_64.rpm pyOpenSSL-0.13.1-3.el7.x86_64.rpm python-dmidecode-3.10.13-11.el7.x86_64.rpm python-ethtool-0.8-5.el7.x86_64.rpm usermode-1.111-5.el7.x86_64.rpm python-gudev-147.2-7.el7.x86_64.rpm libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm
cd ..
rm -rf reg-rpms
mkdir keys
cd keys
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2014 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2012 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2010 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2008
rpm --import *
cd ..
rm -rf keys/
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/run
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all
mkdir -p /usr/share/rhn/
wget http://spacewalk.devnet.prv/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT   
perl -npe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/*
rhnreg_ks --serverUrl=https://spacewalk.devnet.prv/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-centos7

Building RPM's

https://fedoraproject.org/wiki/How_to_create_an_RPM_package#Preparing_your_system

Finding GPG key ID and fingerprint

gpg --with-fingerprint RPM-GPG-KEY-redhat-release5

Output (First highlighted area is the ID and the Second is the fingerprint): 

pub  1024D/37017186 2006-12-06 Red Hat, Inc. (release key) <[email protected]>
     Key fingerprint = 47DB 2877 89B2 1722 B6D9  5DDE 5326 8101 3701 7186

Import GPG key on Servers

Centos 6

wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6
rpm --import RPM-GPG-KEY-EPEL-6 RPM-GPG-KEY-CentOS-6
rm -f RPM-GPG-KEY-EPEL-6 RPM-GPG-KEY-CentOS-6

Centos 7

wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7
rpm --import RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-CentOS-7
rm -f RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-CentOS-7

RHEL 5

wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5
rpm --import RPM-GPG-KEY-redhat-release5
rm -f RPM-GPG-KEY-redhat-release5

RHEL 6

wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6
rpm --import RPM-GPG-KEY-redhat-release6 RPM-GPG-KEY-EPEL-6
rm -f RPM-GPG-KEY-redhat-release6 RPM-GPG-KEY-EPEL-6

Configure PXE Booting

Change PXE Menu Names

vi /etc/cobbler/pxe/pxeprofile.template 

#set $new_name = $profile_name.replace(':1:SpacewalkDefaultOrganization', ' ')
#set $new_menu_label = $menu_label.replace(':1:SpacewalkDefaultOrganization', ' ')
LABEL $new_name
        MENU PASSWD
        kernel $kernel_path
        $new_menu_label
        $append_line
        ipappend 2

Update PXE files 

cobbler sync
cat /var/lib/tftpboot/pxelinux.cfg/default

Add Password, Background, and WindowsDeployment to PXE Menu

vi /etc/cobbler/pxe/pxedefault.template 

DEFAULT vesamenu.c32
PROMPT 0
MENU TITLE DevNet Image Central
MENU BACKGROUND /devnetSplash.png
MENU MARGIN 1
MENU ROWS 15
MENU COLOR BORDER       30;44     #ffffffff #00000000 std
MENU COLOR TITLE        1;36;44   #ffffffff #00000000 std
MENU COLOR UNSEL        37;44     #ffffffff #00000000 std
MENU COLOR TIMEOUT_MSG  37;40     #ffffffff #00000000 std
MENU MASTER PASSWD $1$YVi/j0hL$a6SdxIUHZCA7jFisNZh6O/
TIMEOUT 80
TOTALTIMEOUT 6000
ONTIMEOUT $pxe_timeout_profile
LABEL local
        MENU LABEL (Boot Local System)
        MENU DEFAULT
        LOCALBOOT 0  
$pxe_menu_items
LABEL WindowsDeployment
        MENU LABEL Windows Deployment
        MENU PASSWD
        PXE tftp://10.81.49.27/pxelinux.0 
MENU end

Setup Pam Authentication w/ VAS

  • Put the following in /etc/pam.d/rhn-satellite
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_vas3.so
auth        required      pam_deny.so
account     sufficient    pam_vas3.so
account     requisite     pam_vas3.so echo_return
account     required      pam_unix.so broken_shadow
  • Add the following line to /etc/rhn/rhn.conf
pam_auth_service = rhn-satellite

Troubleshooting

Client Yum Errors

Error: Cannot retrieve repository metadata (repomd.xml) for repository: <channel> Please verify its path and try again.

  • Client Side: Check /etc/sysconfig/rhn/up2date and make sure that the spacewalk URL is Fully Qualified.
  • Spacewalk Side: Check /var/cache/rhn/repodata/<channel>/
    • If noyumrepo.txt exists log into the Web GUI and manage channels. Make sure that the channel Checksum Type is not set to 'None'.

Kickstart Errors

Installing error populating transaction, retrying (1/10) error populating transaction after 10 retries: failure: getPackage/<package name> from <repo name>: [Errno 256] No more mirrors to try.

  • Spacewalk Side: Try running the following command:
chmod -R 777 /var/satellite/redhat/1/

Spacewalk Scripts

cleanupPackages

convertISOtoKickstartTree

createKickstartISO

exportAllChannels

findAndGetKickstartTree

getCompletedActionId

getServerIds

makeKickstartTree

pushConfigurationChannelFiles

reposync

spacewalkCreds

Retrieved from "http://wiki.dersllc.com/index.php?title=DevNet&oldid=51"