https://log-dev.it.vt.edu/

search “logstash grok patterns”:

https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns

Development code for university as set by Dave Martin (darkmoon)

https://git.it.vt.edu

#
curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.0.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-darwin-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-darwin.tgz
shasum filebeat-1.0.0-darwin.tgz 
mkdir /usr/local/logstash
mkdir /usr/local/elasticsearch
mkdir /usr/local/kibana
mkdir /usr/local/filebeat
tar xzf logstash-2.1.0.tar.gz -C logstash
tar zxf elasticsearch-2.1.0.tar.gz -C /usr/local/elasticsearch/
tar zxf kibana-4.3.0-darwin-x64.tar.gz -C /usr/local/kibana
tar zxf filebeat-1.0.0-darwin.tgz -C /usr/local/filebeat

or

$
cd /Users/stedwar1/bin/elk
curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.0.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-darwin-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-darwin.tgz
shasum filebeat-1.0.0-darwin.tgz 
mkdir logstash
mkdir elasticsearch
mkdir kibana
mkdir filebeat
tar xzf logstash -C logstash
tar xzf elasticsearch-2.1.0.tar.gz -C elasticsearch
tar xzf kibana-4.3.0-darwin-x64.tar.gz -C kibana
tar xzf filebeat-1.0.0-darwin.tgz -C filebeat

cd
cd usr/local/elk/elesticsearch
./elasticsearsh
Test elasticsearch
curl -XGET 'localhost:9200'

cd <?>/logstash

./logstash-2.1.0/bin/plugin list
./logstash-2.1.0/bin/plugin install logstash-filter-geoip
./logstash-2.1.0/bin/plugin install logstash-filter-grok
./logstash-2.1.0/bin/plugin install logstash-input-beats

./logstash-2.1.0/bin/logstash -f first-pipeline.conf --configtest
./logstash -f /Users/steveedwards/usr/local/elk/logstash/first-pipeline.conf

Test logstash

./bin/logstash -e 'input { stdin { } } output { stdout {} }'
./logstash-2.1.0/bin/logstash -e 'input { stdin { } } output { elasticsearch {} }'

If using the test file, be sure to prime the index somehow??? then this will work if you use the date of the logstash input:

curl -XGET 'localhost:9200/logstash-2015.12.08/_search?q=response=200'

filebeat

curl -L -O http://download.elastic.co/beats/dashboards/beats-dashboards-1.0.0.tar.gz
tar xzvf beats-dashboards-1.0.0.tar.gz
cd beats-dashboards-1.0.0/
./load.sh
cd
cd usr/local/elk/filebeat/filebeat-1.0.0-darwin
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat.template.json
sudo ./filebeat -e -c filebeat.yml -d "publish"

kibana

AOEs-iMac:bin steveedwards$ pwd
/Users/steveedwards/usr/local/elk/kibana/kibana-4.3.0-darwin-x64/bin
AOEs-iMac:bin steveedwards$ ./kibana

log on and select

[logstash-]YYYY.MM.DD

To see logons:

egp4 AND Authentication* AND NOT _adminstedwar1

Various syntax experiments:

/egp[02348]/ AND NOT DAAP AND NOT netbiosd AND NOT repeated AND NOT softwareupdated AND NOT Info AND Backup AND "No destinations resolvable"
/egp[02348]/ AND Backup AND "No destinations resolvable" AND beat.hostname: egp4.aoe.vt.edu
/egp[02348]/ AND Backup AND /r.*able/

To see backups not resolvable:

/egp[02348]/ AND Backup AND "No destinations resolvable"

mkdir elk
cd elk/
ls
curl -L -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.2.0/elasticsearch-2.2.0.tar.gz
tar xvf elasticsearch-2.2.0.tar.gz 
./elasticsearch-2.2.0/bin/elasticsearch

Download filebeat from https://www.elastic.co/downloads/beats/filebeat

mkdir /Applications/Filebeat
cd !$
curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.1.1-darwin.tgz
tar xf filebeat-1.1.1-darwin.tgz
rm filebeat-1.1.1-darwin.tgz
cd filebeat-1.1.1-darwin/
vim filebeat.yml

Optional: In the paths section, comment out *.log and add specific log files.

```

filebeat:
  prospectors:
    `-`
      paths:
        - /var/log/*.log
      input_type: log
      fields:
        name: workstation
        host: egp0.aoe.vt.edu
        tier: prod
        group: laa.aoe.desktop
      document_type: syslog
  registry_file: /Library/Application Support/Filebeat/registry
output:
  logstash:
    hosts: ["log-1.it.vt.edu:5045","log-2.it.vt.edu:5045","log-3.it.vt.edu:5045"]
    loadbalance: true
    tls:
      certificate_authorities: ["/Applications/Filebeat/logqueue-prod-cachain.pem"]
      min_version: 1.2
  file:
    path: "/tmp/filebeat"
shipper:
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

``` Required: In the Output section, comment out elesticsearch, uncomment “logstash:” and add the path to the university log hosts.

output:

  ### Elasticsearch as output
#  elasticsearch:
    # Array of hosts to connect to.
    # Scheme and port can be left out and will be set to the default (http and 9200)
    # In case you specify and additional path, the scheme is required: http://localhost:9200/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
#    hosts: ["localhost:9200"]
...
  ### Logstash as output
  logstash:
    # The Logstash hosts
    #hosts: ["localhost:5044"]
    hosts: ["elk-ihf-1.cc.vt.edu:5044"]
...

Optional: For local debugging, it might help to add a local text file by uncommenting the file and path lines.

  ### File as output
  file:
    # Path to the directory where to save the generated files. The option is mandatory.
    path: "/tmp/filebeat"

Optional: A shipper name can be added to the log message. This was used to troubleshoot a problem with localhost being used for the “beat.hostname:” and “beat.name:” after reboot.

shipper:
  # The name of the shipper that publishes the network data. It can be used to group
  # all the transactions sent by a single shipper in the web interface.
  # If this options is not defined, the hostname is used.
  #name:

Set hostname:

https://knowledge.autodesk.com/support/flame-products/troubleshooting/caas/sfdcarticles/sfdcarticles/Setting-the-Mac-hostname-or-computer-name-from-the-terminal.html

From above web site: fully qualified hostname:

sudo scutil --set HostName <new host name>

Bonjour hostname:

sudo scutil --set LocalHostName <new host name>

Optional: user-friendly computer name you see in Finder:

sudo scutil --set ComputerName <new name>

Flush the DNS cache:

dscacheutil -flushcache

Restart your Mac.

Add launchd plist

https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/2

cat > /Library/LaunchDaemons/co.elastic.filebeat

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>co.elastic.filebeat</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/Filebeat/filebeat.start</string>
        <string>-c</string>
        <string>/Applications/Filebeat/filebeat.yml</string> 
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

chmod +x !$

Add a launchd script

cat > /Applications/Filebeat/filebeat.start

#/bin/bash
# Hack to make filebeat wait until the system assigns the HOSTNAME variable

while [ "$HOSTNAME" = localhost ]
do
  sleep 5
  exit 1
done

/Applications/Filebeat/filebeat $@

chmod +x !$

tar method

curl -O https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.1.0/elasticsearch-2.1.0.tar.gz
curl -O https://download.elastic.co/logstash/logstash/logstash-2.1.1.tar.gz
curl -O https://download.elastic.co/kibana/kibana/kibana-4.3.0-linux-x64.tar.gz
curl -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-x86_64.tar.gz
mkdir elasticsearch kibana filebeat logstash
tar xzf elasticsearch-2.1.0.tar.gz -C elasticsearch
tar xzf logstash-2.1.1.tar.gz -C logstash
tar xzf kibana-4.3.0-linux-x64.tar.gz -C kibana
tar xzf filebeat-1.0.0-x86_64.tar.gz -C filebeat
java -version
su -

yum/rpm method

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cd /etc/yum.repos.d/
cat >> elasticsearch.repo

[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

[logstash-2.1]
name=Logstash repository for 2.1.x packages
baseurl=http://packages.elastic.co/logstash/2.1/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

yum install elasticsearch
yum install logstash
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.0.0-x86_64.rpm
sudo rpm -vi filebeat-1.0.0-x86_64.rpm
/opt/logstash/bin/plugin list
/opt/logstash/bin/plugin install logstash-filter-geoip
/opt/logstash/bin/plugin install logstash-filter-grok
/opt/logstash/bin/plugin install logstash-input-beats

Modify filebeat to report to logstash

vim /etc/filebeat/filebeat.yml 

Change comment out elasticsearch and hosts and uncomment logstash and hosts

/etc/init.d/filebeat restart

Modify logstash likewise

vim /etc/logstash/conf.d/first

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

exit

cd /l/stedwar1/elk/logstash/logstash-2.1.1/bin/
ls
cd

curl -XGET 'localhost:9200'

cd ?
./kibana

edit configure.ac and update

AM_INIT_AUTOMAKE([1.13.4 foreign subdir-objects serial-tests])

with the version from

automake --version

then

autoreconf --install
./configure --with-pam --prefix=/usr && make && sudo make install

Mac version errors with malloc error and Linux still cannot find compat dir in the `sudo make install` step.

Brew installs version 1.9.17

brew install duo_unix

Modify /etc/duo/pam_duo.conf with data from duo admin site.

add to /etc/pam.d/sshd and sudo

auth       required       /usr/local/lib/security/pam_duo.so

download `Mac OS X Logon (using Yubico-PAM)`

https://www.yubico.com/support/knowledge-base/categories/articles/os-logon-tools/

and install.

Currently: https://developers.yubico.com/yubico-pam/Releases/pam_yubico-2.23.pkg

Keep a remote administrator shell open on another machine during this process!

https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html

Skip the `sudo port install yubico-pam` section since the pkd above handles the install.

create the directory where ykpamcfg will store the initial challenge

mkdir -m0700 -p ~/.yubico

get the initial challenge from the YubiKey

ykpamcfg -2

Add this line to the top of /etc/pam.d/authorization

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response debug

sw_vers

check_local_admins.sh

#!/bin/bash

# Script to detect if a computer has a local admin account on it with an UID of above 500

# Initialize array

list=()
users=()

# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
    users+=("${username}")
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
    # Any reported accounts are added to the array list
        list+=("${username}")
    fi
done

# Prints the array's list contents
echo "All users:"
echo "<result>${users[@]}</result>"
echo "Administrator:"
echo "<result>${list[@]}</result>"

restart.sh 

#!/bin/bash
osascript -e 'tell app "System Events" to restart'

mkdir -p $HOME/go/src
export GOPATH=$HOME/go
cd $GOPATH/src
git clone https://github.com/SummitRoute/osxlockdown.git
cd osxlockdown/
go build osxlockdown
./osxlockdown

https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X

http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

http://www.openbsd.org/faq/pf/shortcuts.html

http://www.openbsd.org/faq/pf/config.html

http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

http://egopoly.com/2014/11/yosemite-simple-firewall.html

Enabling stealth mode, or block all incomming enables pf

typical config locations:

cat /etc/pf.conf 
ls /etc/pf.anchors/

show rules (nothing)

pfctl -sr

show rules for anchor

pfctl -a com.apple -sr

show rules for sub anchor

pfctl -a com.apple/250.ApplicationFirewall -s rules
pfctl -a com.apple/250.ApplicationFirewall -sr

show rules for Anchors verbose

pfctl -v -s Anchors
pfctl -vsA

check file verbose

pfctl -vnf /etc/pf.conf

show start references

pfctl -s References

show info

pfctl -s info

defaults read /Library/Preferences/com.apple.alf.plist

launchctl unload /System/Library/LaunchDaemons/com.apple.pfctl.plist
launchctl load /System/Library/LaunchDaemons/com.apple.pfctl.plist

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist 
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist 
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

less /System/Library/LaunchDaemons/com.apple.alf.agent.plist
less /System/Library/LaunchAgents/com.apple.alf.useragent.plist

/usr/libexec/ApplicationFirewall/socketfilterfw -h
/usr/libexec/ApplicationFirewall/socketfilterfw -c ?? (Check file??)
/usr/libexec/ApplicationFirewall/socketfilterfw --listapps
/usr/libexec/ApplicationFirewall/socketfilterfw -h
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall

#Unload alf Firewall
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist 
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist 

#This could be the same thing
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

#Unload pf
launchctl unload /System/Library/LaunchDaemons/com.apple.pfctl.plist
#list further references
pfctl -s References
#use the TOKEN to release the reference
pfctl -X 16223657253052935175

#flush pf
pfctl -Fa -f /etc/pf.conf

# Enable alf Firewall
launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist 
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist 

#
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
#/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

# Enable Stealth Mode
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Enable ssh with keys only

launchctl load -w /System/Library/LaunchDaemons/ssh.plist
#launchctl(1) says such about the -w flag:
# -w Overrides the Disabled key

Add the following options to /etc/sshd_config:

PermitRootLogin no
PasswordAuthentication no

ChallengeResponseAuthentication no

AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

Restart sshd:

launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh.plist

# Add sshd-keygen-wrapper to ALF
/usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/sshd-keygen-wrapper

nvram boot-args="-v"

disable:

nvram boot-args=

README.TXT

AOE Hancock Lab iMac

* Encrypt Project Data * Scan all removable media before inserting in machine

PATH settings for user installed software

``` export MAGICK_HOME=“$HOME/Applications/ImageMagick-6.9.3” export PATH=“$MAGICK_HOME/bin:$PATH” export DTLD_LIBRARY_PATH=“$MAGICK_HOME/lib/” ```

Install OpenFOAM

OpenFOAM is already compiled as a user. Dependencies are installed via homebrew installed as administrator in order to place it in `/usr/local` providing a common prefix for compiled code. The package manager, homebrew, can be installed as a user just fine, but the compiled code will reference the user's directory where homebrew is installed making it less portable for other users.

[OpenFOAM for Mac using git and homebrew](https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew)

Test OpenFOAM

* Mount the sparse bundle on ~/OpenFoam

  hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle

* Source the OpenFOAM environment and test

``` cd OpenFOAM/OpenFOAM-3.0.x/ source etc/bashrc mkdir -p $FOAM_RUN cp -r $FOAM_TUTORIALS $FOAM_RUN cd $FOAM_RUN/tutorials/incompressible/icoFoam/cavity blockMesh icoFoam paraFoam ```

OpenFOAM extend

Mount sparse image located in home directory.

``` mkdir foam cd foam ln -s /Volumes/foam-extend-3.1 . . foam-extend-3.1/etc/bashrc ```

Other Information

Create encrypted disk image ``` Incomplete » hdiutil create -size 8.3g -type SPARSEBUNDLE -fs HFSX -volname OpenFOAM -fsargs -s OpenFOAM.sparsebundle ```

Encrypt an existing disk image. ``` hdiutil convert test.sparsebundle -format UDSB -encryption AES-256 -o testenc ```

README-ADMIN.TXT

AOE Hancock Lab iMac Image Notes

PATH settings for user installed software

``` export MAGICK_HOME=“$HOME/Applications/ImageMagick-6.9.3” export PATH=“$MAGICK_HOME/bin:$PATH” export DTLD_LIBRARY_PATH=“$MAGICK_HOME/lib/” ```

Install OpenFOAM

OpenFOAM is already compiled as a user. Dependencies are installed via homebrew installed as administrator in order to place it in `/usr/local` providing a common prefix for compiled code. The package manager, homebrew, can be installed as a user just fine, but the compiled code will reference the user's directory where homebrew is installed making it less portable for other users. Here is how the installation works.

[OpenFOAM for Mac using git and homebrew](https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew)

``` mkdir homebrew && curl -L https://github.com/Homebrew/homebrew/tarball/master | tar xz –strip 1 -C homebrew export PATH=“$PATH”:~/Applications/homebrew/bin/ brew tap homebrew/science brew install open-mpi –without-fortran brew install scotch brew install boost –without-single –with-mpi brew install cgal brew install metis brew install parmetis brew install https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/formulae/parmgridgen.rb ```

* Download OpenFOAM and the OS X patch, then

``` mkdir -p $HOME/.OpenFOAM echo 'WM_COMPILER=Clang' > $HOME/.OpenFOAM/prefs.sh echo 'WM_COMPILE_OPTION=Opt' » $HOME/.OpenFOAM/prefs.sh echo 'WM_MPLIB=SYSTEMOPENMPI' » $HOME/.OpenFOAM/prefs.sh echo 'export WM_NCOMPPROCS=$(sysctl -n hw.ncpu)' » $HOME/.OpenFOAM/prefs.sh source etc/bashrc [ “$(ulimit -n)” -lt “4096” ] && ulimit -n 4096 ./Allwmake > log.Allwmake 2>&1 ```

Test OpenFOAM

* Mount the sparse bundle on ~/OpenFoam ```

  hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle

``` * Source the OpenFOAM environment and test

``` cd OpenFOAM/OpenFOAM-3.0.x/ source etc/bashrc mkdir -p $FOAM_RUN cp -r $FOAM_TUTORIALS $FOAM_RUN cd $FOAM_RUN/tutorials/incompressible/icoFoam/cavity blockMesh icoFoam paraFoam ```

Complete OpenFOAM Installation Instruction

as listed on https://github.com/mrklein/openfoam-os-x/wiki/OpenFOAM-git-version-&-Homebrew

``` $ brew tap homebrew/science $ brew install open-mpi –without-fortran $ brew install scotch $ brew install boost –without-single –with-mpi $ brew install cgal $ brew install metis $ brew install parmetis $ brew install https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/formulae/parmgridgen.rb $ cd $ hdiutil create -size 8.3g -type SPARSEBUNDLE -fs HFSX -volname OpenFOAM -fsargs -s OpenFOAM.sparsebundle $ mkdir -p OpenFOAM $ hdiutil attach -mountpoint $HOME/OpenFOAM OpenFOAM.sparsebundle $ cd OpenFOAM $ git clone https://github.com/OpenFOAM/OpenFOAM-A.B.x.git $ cd OpenFOAM-A.B.x $ curl -L https://raw.githubusercontent.com/mrklein/openfoam-os-x/master/OpenFOAM-A.B.x-commit.patch > OpenFOAM-A.B.x-commit.patch $ git checkout -b local-install <commit> $ git apply OpenFOAM-A.B.x-commit.patch $ mkdir -p $HOME/.OpenFOAM $ echo 'WM_COMPILER=Clang' > $HOME/.OpenFOAM/prefs.sh $ echo 'WM_COMPILE_OPTION=Opt' » $HOME/.OpenFOAM/prefs.sh $ echo 'WM_MPLIB=SYSTEMOPENMPI' » $HOME/.OpenFOAM/prefs.sh $ echo 'export WM_NCOMPPROCS=$(sysctl -n hw.ncpu)' » $HOME/.OpenFOAM/prefs.sh $ source etc/bashrc $ [ “$(ulimit -n)” -lt “4096” ] && ulimit -n 4096 $ ./Allwmake > log.Allwmake 2>&1 ```

## OpenFOAM extend

Mount sparse image located in home directory.

``` mkdir foam cd foam ln -s /Volumes/foam-extend-3.1 . . foam-extend-3.1/etc/bashrc ```

Other Information

Encrypt an existing disk image.

``` hdiutil convert test.sparsebundle -format UDSB -encryption AES-256 -o testenc ```

Steps to migrate image to users machine

* Lock firmware * Create the new user account. Hokies!2016. * log in to the new account. * `sudo -i` * Move template ~/Applications folder to the new user account and move the sparse images to the home directory base. ``` mv /Users/stedwar1/Applications /Users/kda15/ chown -R kda15 /Users/kda15/Applications cp -a /Users/stedwar1/.OpenFOAM /Users/kda15/ chown -R kda15 /Users/kda15/.OpenFOAM mv /Users/kda15/Applications/OpenFOAM.sparsebundle /Users/kda15/ mv /Users/kda15/Applications/foam-extend-3.1.sparseimage /Users/kda15/ ``` * Set hostnames ``` sudo scutil –set HostName egpX.aoe.vt.edu sudo scutil –set LocalHostName egpX sudo scutil –set ComputerName egpX dscacheutil -flushcache ```

* Remove stedwar1 account ?? Use thegui * Copy osxlockdown to /Library/AOE/ ``` sudo cp -a /Volumes/Voyager1/AOE /Library/ chmod -R o= !$ ``` * Set ip addresses Use the gui

* Apply profiles

profiles -I -F /Users/_adminstedwar1/Desktop/Settings_for_egp_machines-3.mobileconfig

To remove:

profiles -C
_computerlevel[1] attribute: profileIdentifier: com.apple.mdm.steves-air.aoe.vt.edu.0ba1b350-b313-0133-2483-7cc3a188e6af.alacarte
profiles -R -p com.apple.mdm.steves-air.aoe.vt.edu.0ba1b350-b313-0133-2483-7cc3a188e6af.alacarte

* Apply osxlockdown ``` cd /Library/AOE ./osxlockdown ./osxlockdown -remediate ``` * reboot

* test new user account applications

* File Vault https://derflounder.wordpress.com/2015/12/20/managing-el-capitans-filevault-2-with-fdesetup/ * Enable

 This can be required through policies, but done manually for now.
 egp8 test `KRWD-GGBU-9NRM-UMOY-TFX4-XHAV` obsolete

* Add Users ``` fdesetup add -usertoadd otheruser fdesetup list fdesetup remove -user username_goes_here ``` * Turn off Wireless and set permissions after copying image to final machine

* Attempts to fix ssh-keygen-wrapper ``` /usr/libexec/PlistBuddy -c “print firewall:\”Remote Login - SSH\“:state” /Library/Preferences/com.apple.alf.plist /usr/libexec/PlistBuddy -c “set firewall:\”Remote Login - SSH\“:state 1” /Library/Preferences/com.apple.alf.plist ``` * disable

  /usr/libexec/PlistBuddy -c "print applications:4:state 2" /Library/Preferences/com.apple.alf.plist

* enable

  /usr/libexec/PlistBuddy -c "print applications:4:state 0" /Library/Preferences/com.apple.alf.plist

* Added this to filebeat.start on egp8 as a shim until it can be set properly. (Commented back out since finding a solution.) ``` # Allow ssh through the application firewall because the allow setting does not # remain after reboot with “Automatically allow signed software…” unchecked. /usr/libexec/ApplicationFirewall/socketfilterfw –unblock /usr/libexec/sshd-keygen-wrapper ``` * Possible solution Make the changes from another account besides the _adminstedwar1 account.

* Possible solution (Worked from admin user on egp4 image.)

 1. Turn off Remote Access (sshd)
 1. Remove sshd-keygen-wrapper from firewall
 1. stop and restart firewall
 1. reboot
 1. Turn on Remote Access (sshd)
 1. Add /usr/libexec/sshd-keygen-wrapper to the allowed exceptions.
 1. reboot
 1. check if the exception is still allowed

## Deply to user * Sign out of: * Messenger * iCloud * iTunes * AppStore * Boot to USB install * umount main partition * Erase main drive * Install El Capitan This is done in order to update the recovery partition which is crucial to have in order to get the new disk utilities. * Copy user's image to the main disk

## things to check

• using profiles3
• app firewall for sshd-keygen-wrapper allowed
• chmod -R o= /Library/AOE
• chgrp -R admin /Library/AOE
• Turn on Firmware Password Cortan@EGP[23489] Cortan@AOE

1 ## Things to fix

• Fix IPv6 in pf firewall
• Escrow keys somehow

yubikey entries need to be in both system-auth and password-auth

selinux needs to be fixed:

Create user account with admin priveleges Change firewall to only allow their machines Give them passwords for firmware Give them passwords full disk encryption Give them passwords full disk encryption on backup devices