====== ELK ======
https://log-dev.it.vt.edu/
search "logstash grok patterns":
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
Development code for university as set by Dave Martin (darkmoon)
https://git.it.vt.edu
===== Mac install =====
#
curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.0.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-darwin-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-darwin.tgz
shasum filebeat-1.0.0-darwin.tgz
mkdir /usr/local/logstash
mkdir /usr/local/elasticsearch
mkdir /usr/local/kibana
mkdir /usr/local/filebeat
tar xzf logstash-2.1.0.tar.gz -C logstash
tar zxf elasticsearch-2.1.0.tar.gz -C /usr/local/elasticsearch/
tar zxf kibana-4.3.0-darwin-x64.tar.gz -C /usr/local/kibana
tar zxf filebeat-1.0.0-darwin.tgz -C /usr/local/filebeat
or
$
cd /Users/stedwar1/bin/elk
curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.0.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-darwin-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-darwin.tgz
shasum filebeat-1.0.0-darwin.tgz
mkdir logstash
mkdir elasticsearch
mkdir kibana
mkdir filebeat
tar xzf logstash -C logstash
tar xzf elasticsearch-2.1.0.tar.gz -C elasticsearch
tar xzf kibana-4.3.0-darwin-x64.tar.gz -C kibana
tar xzf filebeat-1.0.0-darwin.tgz -C filebeat
cd
cd usr/local/elk/elesticsearch
./elasticsearsh
Test elasticsearch
curl -XGET 'localhost:9200'
cd /logstash
./logstash-2.1.0/bin/plugin list
./logstash-2.1.0/bin/plugin install logstash-filter-geoip
./logstash-2.1.0/bin/plugin install logstash-filter-grok
./logstash-2.1.0/bin/plugin install logstash-input-beats
./logstash-2.1.0/bin/logstash -f first-pipeline.conf --configtest
./logstash -f /Users/steveedwards/usr/local/elk/logstash/first-pipeline.conf
Test logstash
./bin/logstash -e 'input { stdin { } } output { stdout {} }'
./logstash-2.1.0/bin/logstash -e 'input { stdin { } } output { elasticsearch {} }'
If using the test file, be sure to prime the index somehow??? then this will work if you use the date of the logstash input:
curl -XGET 'localhost:9200/logstash-2015.12.08/_search?q=response=200'
filebeat
curl -L -O http://download.elastic.co/beats/dashboards/beats-dashboards-1.0.0.tar.gz
tar xzvf beats-dashboards-1.0.0.tar.gz
cd beats-dashboards-1.0.0/
./load.sh
cd
cd usr/local/elk/filebeat/filebeat-1.0.0-darwin
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat.template.json
sudo ./filebeat -e -c filebeat.yml -d "publish"
kibana
AOEs-iMac:bin steveedwards$ pwd
/Users/steveedwards/usr/local/elk/kibana/kibana-4.3.0-darwin-x64/bin
AOEs-iMac:bin steveedwards$ ./kibana
===== Searching logs.it.vt.edu =====
log on and select
[logstash-]YYYY.MM.DD
To see logons:
egp4 AND Authentication* AND NOT _adminstedwar1
Various syntax experiments:
/egp[02348]/ AND NOT DAAP AND NOT netbiosd AND NOT repeated AND NOT softwareupdated AND NOT Info AND Backup AND "No destinations resolvable"
/egp[02348]/ AND Backup AND "No destinations resolvable" AND beat.hostname: egp4.aoe.vt.edu
/egp[02348]/ AND Backup AND /r.*able/
To see backups not resolvable:
/egp[02348]/ AND Backup AND "No destinations resolvable"
===== Mac install 2.2 =====
==== elastic search ====
mkdir elk
cd elk/
ls
curl -L -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.2.0/elasticsearch-2.2.0.tar.gz
tar xvf elasticsearch-2.2.0.tar.gz
./elasticsearch-2.2.0/bin/elasticsearch
==== filebeat ====
Download filebeat from https://www.elastic.co/downloads/beats/filebeat
mkdir /Applications/Filebeat
cd !$
curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.1.1-darwin.tgz
tar xf filebeat-1.1.1-darwin.tgz
rm filebeat-1.1.1-darwin.tgz
cd filebeat-1.1.1-darwin/
vim filebeat.yml
== edits to filebeat.yml ==
Optional: In the paths section, comment out *.log and add specific log files.
```
filebeat:
prospectors:
`-`
paths:
- /var/log/*.log
input_type: log
fields:
name: workstation
host: egp0.aoe.vt.edu
tier: prod
group: laa.aoe.desktop
document_type: syslog
registry_file: /Library/Application Support/Filebeat/registry
output:
logstash:
hosts: ["log-1.it.vt.edu:5045","log-2.it.vt.edu:5045","log-3.it.vt.edu:5045"]
loadbalance: true
tls:
certificate_authorities: ["/Applications/Filebeat/logqueue-prod-cachain.pem"]
min_version: 1.2
file:
path: "/tmp/filebeat"
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
```
Required: In the Output section, comment out elesticsearch, uncomment "logstash:" and add the path to the university log hosts.
output:
### Elasticsearch as output
# elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
# hosts: ["localhost:9200"]
...
### Logstash as output
logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
hosts: ["elk-ihf-1.cc.vt.edu:5044"]
...
Optional: For local debugging, it might help to add a local text file by uncommenting the file and path lines.
### File as output
file:
# Path to the directory where to save the generated files. The option is mandatory.
path: "/tmp/filebeat"
Optional: A shipper name can be added to the log message. This was used to troubleshoot a problem with localhost being used for the "beat.hostname:" and "beat.name:" after reboot.
shipper:
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
# If this options is not defined, the hostname is used.
#name:
== Hostname ==
Set hostname:
https://knowledge.autodesk.com/support/flame-products/troubleshooting/caas/sfdcarticles/sfdcarticles/Setting-the-Mac-hostname-or-computer-name-from-the-terminal.html
From above web site:
fully qualified hostname:
sudo scutil --set HostName
Bonjour hostname:
sudo scutil --set LocalHostName
Optional: user-friendly computer name you see in Finder:
sudo scutil --set ComputerName
Flush the DNS cache:
dscacheutil -flushcache
Restart your Mac.
== Launch Daemon ==
Add launchd plist
https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/2
cat > /Library/LaunchDaemons/co.elastic.filebeat
Label
co.elastic.filebeat
ProgramArguments
/Applications/Filebeat/filebeat.start
-c
/Applications/Filebeat/filebeat.yml
KeepAlive
chmod +x !$
== script to start filebeat after hostname is assigned ==
Add a launchd script
cat > /Applications/Filebeat/filebeat.start
#/bin/bash
# Hack to make filebeat wait until the system assigns the HOSTNAME variable
while [ "$HOSTNAME" = localhost ]
do
sleep 5
exit 1
done
/Applications/Filebeat/filebeat $@
chmod +x !$
===== Linux install =====
tar method
curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.1.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-linux-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-x86_64.tar.gz
mkdir elasticsearch kibana filebeat logstash
tar xzf elasticsearch-2.1.0.tar.gz -C elasticsearch
tar xzf logstash-2.1.1.tar.gz -C logstash
tar xzf kibana-4.3.0-linux-x64.tar.gz -C kibana
tar xzf filebeat-1.0.0-x86_64.tar.gz -C filebeat
java -version
su -
yum/rpm method
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cd /etc/yum.repos.d/
cat >> elasticsearch.repo
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
[logstash-2.1]
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
yum install elasticsearch
yum install logstash
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-x86_64.rpm
sudo rpm -vi filebeat-1.0.0-x86_64.rpm
/opt/logstash/bin/plugin list
/opt/logstash/bin/plugin install logstash-filter-geoip
/opt/logstash/bin/plugin install logstash-filter-grok
/opt/logstash/bin/plugin install logstash-input-beats
Modify filebeat to report to logstash
vim /etc/filebeat/filebeat.yml
Change comment out elasticsearch and hosts and uncomment logstash and hosts
/etc/init.d/filebeat restart
Modify logstash likewise
vim /etc/logstash/conf.d/first
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => "localhost:9200"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
exit
cd /l/stedwar1/elk/logstash/logstash-2.1.1/bin/
ls
cd
curl -XGET 'localhost:9200'
cd ?
./kibana
====== Hardening notes ======
===== 2fa Two factor authentication =====
==== Trying to compile pam_duo?? ====
edit configure.ac and update
AM_INIT_AUTOMAKE([1.13.4 foreign subdir-objects serial-tests])
with the version from
automake --version
then
autoreconf --install
./configure --with-pam --prefix=/usr && make && sudo make install
Mac version errors with malloc error and Linux still cannot find compat dir in the `sudo make install` step.
==== Brew install duo_unix ====
Brew installs version 1.9.17
brew install duo_unix
Modify /etc/duo/pam_duo.conf with data from duo admin site.
add to /etc/pam.d/sshd and sudo
auth required /usr/local/lib/security/pam_duo.so
==== For local yumikey 2fa ====
download `Mac OS X Logon (using Yubico-PAM)`
https://www.yubico.com/support/knowledge-base/categories/articles/os-logon-tools/
and install.
Currently: https://developers.yubico.com/yubico-pam/Releases/pam_yubico-2.23.pkg
Keep a remote administrator shell open on another machine during this process!
https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html
Skip the `sudo port install yubico-pam` section since the pkd above handles the install.
create the directory where ykpamcfg will store the initial challenge
mkdir -m0700 -p ~/.yubico
get the initial challenge from the YubiKey
ykpamcfg -2
Add this line to the top of /etc/pam.d/authorization
auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response debug
===== scripts =====
sw_vers
check_local_admins.sh
#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# Initialize array
list=()
users=()
# generate user list of users with UID greater than 500
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
users+=("${username}")
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
# Any reported accounts are added to the array list
list+=("${username}")
fi
done
# Prints the array's list contents
echo "All users:"
echo "${users[@]}"
echo "Administrator:"
echo "${list[@]}"
restart.sh
#!/bin/bash
osascript -e 'tell app "System Events" to restart'
===== osxlockdown =====
mkdir -p $HOME/go/src
export GOPATH=$HOME/go
cd $GOPATH/src
git clone https://github.com/SummitRoute/osxlockdown.git
cd osxlockdown/
go build osxlockdown
./osxlockdown
===== Packef Filter pf =====
[[https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X]]
http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/
http://www.openbsd.org/faq/pf/shortcuts.html
http://www.openbsd.org/faq/pf/config.html
http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/
http://egopoly.com/2014/11/yosemite-simple-firewall.html
Enabling stealth mode, or block all incomming enables pf
typical config locations:
cat /etc/pf.conf
ls /etc/pf.anchors/
show rules (nothing)
pfctl -sr
show rules for anchor
pfctl -a com.apple -sr
show rules for sub anchor
pfctl -a com.apple/250.ApplicationFirewall -s rules
pfctl -a com.apple/250.ApplicationFirewall -sr
show rules for Anchors verbose
pfctl -v -s Anchors
pfctl -vsA
check file verbose
pfctl -vnf /etc/pf.conf
show start references
pfctl -s References
show info
pfctl -s info
defaults read /Library/Preferences/com.apple.alf.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.pfctl.plist
launchctl load /System/Library/LaunchDaemons/com.apple.pfctl.plist
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
less /System/Library/LaunchDaemons/com.apple.alf.agent.plist
less /System/Library/LaunchAgents/com.apple.alf.useragent.plist
/usr/libexec/ApplicationFirewall/socketfilterfw -h
/usr/libexec/ApplicationFirewall/socketfilterfw -c ?? (Check file??)
/usr/libexec/ApplicationFirewall/socketfilterfw --listapps
/usr/libexec/ApplicationFirewall/socketfilterfw -h
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall
==== Disable firewall ====
#Unload alf Firewall
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
#This could be the same thing
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
#Unload pf
launchctl unload /System/Library/LaunchDaemons/com.apple.pfctl.plist
#list further references
pfctl -s References
#use the TOKEN to release the reference
pfctl -X 16223657253052935175
#flush pf
pfctl -Fa -f /etc/pf.conf
==== auto script ====
# Enable alf Firewall
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist
#
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
#/usr/libexec/ApplicationFirewall/socketfilterfw --listapps
# Enable Stealth Mode
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
===== sshd =====
# Enable ssh with keys only
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
#launchctl(1) says such about the -w flag:
# -w Overrides the Disabled key
Add the following options to /etc/sshd_config:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"
Restart sshd:
launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh.plist
# Add sshd-keygen-wrapper to ALF
/usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/sshd-keygen-wrapper
===== Enjoy verbose messages at bootup =====
nvram boot-args="-v"
disable:
nvram boot-args=
====== README.TXT ======
README.TXT
AOE Hancock Lab iMac
====================
* Encrypt Project Data
* Scan all removable media before inserting in machine
PATH settings for user installed software
-----------------------------------------
```
export MAGICK_HOME="$HOME/Applications/ImageMagick-6.9.3"
export PATH="$MAGICK_HOME/bin:$PATH"
export DTLD_LIBRARY_PATH="$MAGICK_HOME/lib/"
```
----
Install OpenFOAM
--------
OpenFOAM is already compiled as a user. Dependencies are installed via homebrew installed as administrator in order to place it in `/usr/local` providing a common prefix for compiled code. The package manager, homebrew, can be installed as a user just fine, but the compiled code will reference the user's directory where homebrew is installed making it less portable for other users.
[OpenFOAM for Mac using git and homebrew](https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew)
Test OpenFOAM
-------------
* Mount the sparse bundle on ~/OpenFoam
hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle
* Source the OpenFOAM environment and test
```
cd OpenFOAM/OpenFOAM-3.0.x/
source etc/bashrc
mkdir -p $FOAM_RUN
cp -r $FOAM_TUTORIALS $FOAM_RUN
cd $FOAM_RUN/tutorials/incompressible/icoFoam/cavity
blockMesh
icoFoam
paraFoam
```
OpenFOAM extend
---------------
Mount sparse image located in home directory.
```
mkdir foam
cd foam
ln -s /Volumes/foam-extend-3.1 .
. foam-extend-3.1/etc/bashrc
```
Other Information
-----------------
Create encrypted disk image
```
Incomplete >> hdiutil create -size 8.3g -type SPARSEBUNDLE -fs HFSX -volname OpenFOAM -fsargs -s OpenFOAM.sparsebundle
```
Encrypt an existing disk image.
```
hdiutil convert test.sparsebundle -format UDSB -encryption AES-256 -o testenc
```
====== README-ADMIN.TXT ======
README-ADMIN.TXT
AOE Hancock Lab iMac Image Notes
================================
PATH settings for user installed software
-----------------------------------------
```
export MAGICK_HOME="$HOME/Applications/ImageMagick-6.9.3"
export PATH="$MAGICK_HOME/bin:$PATH"
export DTLD_LIBRARY_PATH="$MAGICK_HOME/lib/"
```
----
Install OpenFOAM
--------
OpenFOAM is already compiled as a user. Dependencies are installed via homebrew installed as administrator in order to place it in `/usr/local` providing a common prefix for compiled code. The package manager, homebrew, can be installed as a user just fine, but the compiled code will reference the user's directory where homebrew is installed making it less portable for other users. Here is how the installation works.
[OpenFOAM for Mac using git and homebrew](https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew)
```
mkdir homebrew && curl -L https://github.com/Homebrew/homebrew/tarball/master | tar xz --strip 1 -C homebrew
export PATH="$PATH":~/Applications/homebrew/bin/
brew tap homebrew/science
brew install open-mpi --without-fortran
brew install scotch
brew install boost --without-single --with-mpi
brew install cgal
brew install metis
brew install parmetis
brew install https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/formulae/parmgridgen.rb
```
* Download OpenFOAM and the OS X patch, then
```
mkdir -p $HOME/.OpenFOAM
echo 'WM_COMPILER=Clang' > $HOME/.OpenFOAM/prefs.sh
echo 'WM_COMPILE_OPTION=Opt' >> $HOME/.OpenFOAM/prefs.sh
echo 'WM_MPLIB=SYSTEMOPENMPI' >> $HOME/.OpenFOAM/prefs.sh
echo 'export WM_NCOMPPROCS=$(sysctl -n hw.ncpu)' >> $HOME/.OpenFOAM/prefs.sh
source etc/bashrc
[ "$(ulimit -n)" -lt "4096" ] && ulimit -n 4096
./Allwmake > log.Allwmake 2>&1
```
Test OpenFOAM
-------------
* Mount the sparse bundle on ~/OpenFoam
```
hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle
```
* Source the OpenFOAM environment and test
```
cd OpenFOAM/OpenFOAM-3.0.x/
source etc/bashrc
mkdir -p $FOAM_RUN
cp -r $FOAM_TUTORIALS $FOAM_RUN
cd $FOAM_RUN/tutorials/incompressible/icoFoam/cavity
blockMesh
icoFoam
paraFoam
```
Complete OpenFOAM Installation Instruction
------------------------------------------
as listed on https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew
```
$ brew tap homebrew/science
$ brew install open-mpi --without-fortran
$ brew install scotch
$ brew install boost --without-single --with-mpi
$ brew install cgal
$ brew install metis
$ brew install parmetis
$ brew install https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/formulae/parmgridgen.rb
$ cd
$ hdiutil create -size 8.3g -type SPARSEBUNDLE -fs HFSX -volname OpenFOAM -fsargs -s OpenFOAM.sparsebundle
$ mkdir -p OpenFOAM
$ hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle
$ cd OpenFOAM
$ git clone https://github.com/OpenFOAM/OpenFOAM-A.B.x.git
$ cd OpenFOAM-A.B.x
$ curl -L https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/OpenFOAM-A.B.x-commit.patch > OpenFOAM-A.B.x-commit.patch
$ git checkout -b local-install
$ git apply OpenFOAM-A.B.x-commit.patch
$ mkdir -p $HOME/.OpenFOAM
$ echo 'WM_COMPILER=Clang' > $HOME/.OpenFOAM/prefs.sh
$ echo 'WM_COMPILE_OPTION=Opt' >> $HOME/.OpenFOAM/prefs.sh
$ echo 'WM_MPLIB=SYSTEMOPENMPI' >> $HOME/.OpenFOAM/prefs.sh
$ echo 'export WM_NCOMPPROCS=$(sysctl -n hw.ncpu)' >> $HOME/.OpenFOAM/prefs.sh
$ source etc/bashrc
$ [ "$(ulimit -n)" -lt "4096" ] && ulimit -n 4096
$ ./Allwmake > log.Allwmake 2>&1
```
## OpenFOAM extend
Mount sparse image located in home directory.
```
mkdir foam
cd foam
ln -s /Volumes/foam-extend-3.1 .
. foam-extend-3.1/etc/bashrc
```
Other Information
-----------------
Encrypt an existing disk image.
```
hdiutil convert test.sparsebundle -format UDSB -encryption AES-256 -o testenc
```
Steps to migrate image to users machine
---------------------------------------
* Lock firmware
* Create the new user account. Hokies!2016.
* log in to the new account.
* `sudo -i`
* Move template ~/Applications folder to the new user account and move the sparse images to the home directory base.
```
mv /Users/stedwar1/Applications /Users/kda15/
chown -R kda15 /Users/kda15/Applications
cp -a /Users/stedwar1/.OpenFOAM /Users/kda15/
chown -R kda15 /Users/kda15/.OpenFOAM
mv /Users/kda15/Applications/OpenFOAM.sparsebundle /Users/kda15/
mv /Users/kda15/Applications/foam-extend-3.1.sparseimage /Users/kda15/
```
* Set hostnames
```
sudo scutil --set HostName egpX.aoe.vt.edu
sudo scutil --set LocalHostName egpX
sudo scutil --set ComputerName egpX
dscacheutil -flushcache
```
* Remove stedwar1 account ??
Use thegui
* Copy osxlockdown to /Library/AOE/
```
sudo cp -a /Volumes/Voyager1/AOE /Library/
chmod -R o= !$
```
* Set ip addresses
Use the gui
* Apply profiles
profiles -I -F /Users/_adminstedwar1/Desktop/Settings_for_egp_machines-3.mobileconfig
To remove:
profiles -C
_computerlevel[1] attribute: profileIdentifier: com.apple.mdm.steves-air.aoe.vt.edu.0ba1b350-b313-0133-2483-7cc3a188e6af.alacarte
profiles -R -p com.apple.mdm.steves-air.aoe.vt.edu.0ba1b350-b313-0133-2483-7cc3a188e6af.alacarte
* Apply osxlockdown
```
cd /Library/AOE
./osxlockdown
./osxlockdown -remediate
```
* reboot
* test new user account applications
* File Vault
https://derflounder.wordpress.com/2015/12/20/managing-el-capitans-filevault-2-with-fdesetup/
* Enable
This can be required through policies, but done manually for now.
egp8 test `KRWD-GGBU-9NRM-UMOY-TFX4-XHAV` obsolete
* Add Users
```
fdesetup add -usertoadd otheruser
fdesetup list
fdesetup remove -user username_goes_here
```
* Turn off Wireless and set permissions after copying image to final machine
* Attempts to fix ssh-keygen-wrapper
```
/usr/libexec/PlistBuddy -c "print firewall:\"Remote Login - SSH\":state" /Library/Preferences/com.apple.alf.plist
/usr/libexec/PlistBuddy -c "set firewall:\"Remote Login - SSH\":state 1" /Library/Preferences/com.apple.alf.plist
```
* disable
/usr/libexec/PlistBuddy -c "print applications:4:state 2" /Library/Preferences/com.apple.alf.plist
* enable
/usr/libexec/PlistBuddy -c "print applications:4:state 0" /Library/Preferences/com.apple.alf.plist
* Added this to filebeat.start on egp8 as a shim until it can be set properly. (Commented back out since finding a solution.)
```
# Allow ssh through the application firewall because the allow setting does not
# remain after reboot with "Automatically allow signed software..." unchecked.
/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/sshd-keygen-wrapper
```
* Possible solution
Make the changes from another account besides the _adminstedwar1 account.
* Possible solution (Worked from admin user on egp4 image.)
1. Turn off Remote Access (sshd)
1. Remove sshd-keygen-wrapper from firewall
1. stop and restart firewall
1. reboot
1. Turn on Remote Access (sshd)
1. Add /usr/libexec/sshd-keygen-wrapper to the allowed exceptions.
1. reboot
1. check if the exception is still allowed
## Deply to user
* Sign out of:
* Messenger
* iCloud
* iTunes
* AppStore
* Boot to USB install
* umount main partition
* Erase main drive
* Install El Capitan
This is done in order to update the recovery partition which is crucial to have in order to get the new disk utilities.
* Copy user's image to the main disk
## things to check
* using profiles3
* app firewall for sshd-keygen-wrapper allowed
* chmod -R o= /Library/AOE
* chgrp -R admin /Library/AOE
* Turn on Firmware Password Cortan@EGP[23489] Cortan@AOE
1
## Things to fix
* Fix IPv6 in pf firewall
* Escrow keys somehow
====== SL7 notes ======
yubikey entries need to be in both system-auth and password-auth
selinux needs to be fixed:
====== Transfer contol to OESRC ======
Create user account with admin priveleges
Change firewall to only allow their machines
Give them passwords for firmware
Give them passwords full disk encryption
Give them passwords full disk encryption on backup devices