Secure Pakiti Server Installation Steps

egi inspire l.w
1 / 19
Embed
Share

"Learn how to install and configure a secure Pakiti server for vulnerability monitoring in EGI. Follow detailed steps for server package installation, Apache and MySQL configuration, and updating settings in this comprehensive guide." (488 characters)

  • Security
  • Pakiti server
  • Installation
  • Configuration
  • Vulnerability monitoring
rayaanacharya
esan373 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. EGI-InSPIRE Pakiti www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323

  2. Pakiti Overview Patch monitoring Unpatched vulnerabilities present severe security threat Client - server architecture In production use by EGI CSIRT Nagios probe against WNs https://pakiti.egi.eu/ Development by EGI CSIRT www.egi.eu EGI-InSPIRE RI-261323

  3. Utilization in EGI www.egi.eu EGI-InSPIRE RI-261323

  4. Excerise Install your own Pakiti server Collect report from a node Identify unpatched vulnerabilities www.egi.eu EGI-InSPIRE RI-261323

  5. Installation steps Installation of server package Configuration of Apache Configuration of MySQL Configuration of Pakiti server Using Pakiti client www.egi.eu EGI-InSPIRE RI-261323

  6. Server package RPM from EGI AppDB 1. rpm --import http://pgp.mit.edu/pks/lookup?op=get&sear ch=0x930D2233A28C25A6 2. wget -O /etc/yum.repos.d/pakiti.repo http://repository.egi.eu/community/software/ pakiti/pakiti2/releases/repofiles/sl-6- i386.repo 3. yum update 4. yum install pakiti2-server www.egi.eu EGI-InSPIRE RI-261323

  7. Apache Configuration Enable https and Pakiti virtual host 1. Remove default https virtual host /etc/httpd/conf.d/ssl.conf 2. Copy Pakiti definition cp /usr/share/doc/pakiti2-server- 2.1.6/pakiti2.apache2 /etc/httpd/conf.d/pakiti2.conf 3. Adapt to your preferred authN system 4. Check firewall configuration www.egi.eu EGI-InSPIRE RI-261323

  8. MySQL Create Pakiti database and MySQL user: 1. CREATE DATABASE pakiti; 2. CREATE USER 'pakiti'@'localhost' IDENTIFIED BY 'really_random_password'; 3. GRANT ALL PRIVILEGES ON pakiti.* to 'pakiti'@'localhost' ; 4. FLUSH PRIVILEGES; Create schema: 1. cd /usr/share/doc/pakiti2-server-2.1.6/ 2. mysql -D pakiti -u pakiti -p < pakiti2.sql www.egi.eu EGI-InSPIRE RI-261323

  9. Pakiti server Update mysql password/username: 1. /etc/pakiti2/pakiti2-server.conf Browse to https://server/ and adapt Settings (top right) 1. http://www.redhat.com/security/data/oval/co m.redhat.rhsa-2014.xml 2. Release 4,5,6 www.egi.eu EGI-InSPIRE RI-261323

  10. Server configuration www.egi.eu EGI-InSPIRE RI-261323

  11. Putting it together Install Pakiti client 1. yum install pakiti2-client-manual Configure the client /usr/share/doc/pakiti2-client-manual- 2.1.6/pakiti2-client 1. SERVERS="localhost:443 2. #CA_PATH="/etc/ssl/certs/" Run the client and check the results www.egi.eu EGI-InSPIRE RI-261323

  12. EGI-InSPIRE Central Log Collecting www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323

  13. Motivation Logs can point to an attack and vector Attackers wipe logs once they have root access Having logs stored locally doesn t scale A single point where to analyse data Local logs are not trustworthy www.egi.eu EGI-InSPIRE RI-261323

  14. Solutions syslog, former default logging system replaced by rsyslog (syslog clients can send to rsyslog) syslog-ng (OSE and Premium Edition, additional plugins under proprietary license) Commercial solutions splunk (volume based licensing/can get expensive) www.egi.eu EGI-InSPIRE RI-261323

  15. Rsyslog Server Decide whether secure channel is required TLS is supported Decide what directory structure is needed Make sure you have free space on storage Enable monitoring of the server Rsyslog is well documented www.egi.eu EGI-InSPIRE RI-261323

  16. Rsyslog client Decide what message to send out Find out security requirements 1. $DefaultNetstreamDriverCAFile /etc/ssl/certs/AddTrust_External_Root.pem 2. $DefaultNetstreamDriver gtls 3. $ActionSendStreamDriverMode 1 4. $ActionSendStreamDriverAuthMode x509/certvalid # server is NOT authenticated 5. *.* @@(o)147.251.252.199:10514 www.egi.eu EGI-InSPIRE RI-261323

  17. Processing Collected Data Usual tools like grep, etc. Files are available from /var/log/remote-hosts More volumes data needs advanced tools Indexing, filtering ElasticSearch, Kibana Processing logs using cloud tools http://home.zcu.cz/~bodik/metasw/esbegitf/ www.egi.eu EGI-InSPIRE RI-261323

  18. Kibana www.egi.eu EGI-InSPIRE RI-261323

  19. Excercise Configure your client to log remotely 147.251.252.199 is provided as a VO server Check the log contents Files ssh cf@147.251.252.199 /var/log/remote-hosts Kibana: http://147.251.252.199/kibana3/index.html#/dash board/file/logstashesb.json www.egi.eu EGI-InSPIRE RI-261323

Related


No related presentations.

More Related Content