aizuddin85

#!/usr/bin/python


load =  open("/proc/loadavg",'r')
read =  load.read(4)
int =   str(read)
print int
#print read
if int > "2.00":
        print "Load is high"

aizuddin85

#!/usr/bin/python
import re
file = open("/var/log/messages", 'r')
for i in file.readlines():
        if re.search('Python', i):
                print i
file.close()

aizuddin85

import cx_Oracle

class OracleWrapper(object):
    """
    A class for handling db operations
    """

    def __init__(self, constring):
        self.constring = constring.strip()
        self.db_connection = cx_Oracle.connect(constring)

aizuddin85

import ldap
import sys

LDAP_URI = 'ldap://ldap.example.com'
SEARCH_BASE = 'ou=Example,dc=example,dc=com'
QUERY = '(&(nickname=M*)(employeeType=fulltime)(|(!(departmentNumber=5*))(loginShell=/bin/bash)))'


def ldap_search(ldap_uri, base, query):
  '''

aizuddin85

# Hardware

aizuddin85

Sep 29 15:13:44 master systemd: Created slice User Slice of root.
Sep 29 15:13:44 master systemd: Starting User Slice of root.
Sep 29 15:13:44 master systemd: Started Session 12 of user root.
Sep 29 15:13:44 master systemd-logind: New session 12 of user root.
Sep 29 15:13:44 master systemd: Starting Session 12 of user root.
Sep 29 15:13:44 master ansible-setup: Invoked with filter=* gather_subset=['all'] fact_path=/etc/ansible/facts.d gather_timeout=10
Sep 29 15:13:46 master ansible-setup: Invoked with filter=* gather_subset=['all'] fact_path=/etc/ansible/facts.d gather_timeout=10
Sep 29 15:13:48 master ansible-stat: Invoked with checksum_algorithm=sha1 get_checksum=True follow=False path=/run/ostree-booted get_md5=True get_mime=True get_attributes=True
Sep 29 15:13:49 master ansible-yum: Invoked with name=['iproute'] list=None install_repoquery=True conf_file=None disable_gpg_check=False state=present disablerepo=None update_cache=False enablerepo=None exclude=None validate_certs=True installroot=/ skip_brok

aizuddin85

This guide satisfied below RHEL environment:

Bastion node.
a. jump.example.com - RHEL 7.4, ansible-host

OCP Node list.
a. ocp-master01.example.com - atomic
b. ocp-node01.example.com - atomic
c. ocp-node02.example.com - atomic

aizuddin85

##TCP FLAGS##

Unskilled Attackers Pester Real Security Folks
==============================================
                     TCPDUMP FLAGS
Unskilled =  URG  =  (Not Displayed in Flag Field, Displayed elsewhere) 
Attackers =  ACK  =  (Not Displayed in Flag Field, Displayed elsewhere)
Pester    =  PSH  =  [P] (Push Data)
Real      =  RST  =  [R] (Reset Connection)
Security  =  SYN  =  [S] (Start Connection)

aizuddin85

1. Create DR project.
2. Patch namespace to use same SELinux, supplementalID and GroupID as production project. (oc describe project <namespace>)

[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.uid-range\":\"1000140000/10000\"}}}"
namespace "eapapp-dr" patched
[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.supplemental-groups\":\"1000140000/10000\"}}}"
namespace "eapapp-dr" patched
[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.mcs\":\"s0:c12,c4\"}}}"
namespace "eapapp-dr" patched

aizuddin85

During VA scan, some cipher considered as not safe and need to be disabled. This easily can be done by configuring /etc/origin/master/master-config.yaml.


servingInfo:
  ...
  minTLSVersion: VersionTLS12
  cipherSuites:
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_RSA_WITH_AES_256_CBC_SHA
  - TLS_RSA_WITH_AES_128_CBC_SHA