migrate to git.charlotte.sh

net-sec-controls-sec350/labs/week02/Lab2.1-standardizing-time.md

@@ -0,0 +1,23 @@
+# Lab 2.1 Standardizing on Time
+Time is not recorded consistently across all of our systems.  You will note very quickly that none of your systems record the timezone within the syslog entry.  Without this data it is very hard to develop a cohesive timeline for events that span multiple log sources and multiple time zones.  We are going to fix this.
+
+Though the date is set for EST, the specific log entry that may or may not be forwarded to a log server has no indication of the timezone or the year.
+
+![image](../../../assets/9f753b28-fd3b-4854-b155-54bca96e239c.png)
+
+## rw01 - ubuntu
+We fix this by commenting out a line (shown below) in RW01's main `/etc/rsyslog.conf` file.  By default, rsyslog does not use high precision timestamps.  Make sure to restart rsyslog on rw01
+![image](../../../assets/8ed3b550-988b-432c-895e-3f1e3acceb45.png)
+
+![image](../../../assets/aa578b16-2113-4af0-b7c7-ae18e52ad336.png)
+
+
+## web01 & log01 - rocky
+in `/etc/rsyslog.conf`
+- add these lines:
+  - `$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format`---enables RFC 5424-style syslog format, which includes high-precision timestamps with timezone information.
+  - `template(name="BetterTiming" type="string" string="%timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n")`---explicitly defines a custom template, including high-fidelity timestamps with timezone info
+  - add the suffix `;BetterTiming` to the loggging destination---enables the custom template on your logs
+
+![image](../../../assets/0331dde8-2028-445d-89e2-d55fb5b3cf45.png)
+![image](../../../assets/742df745-1a26-4c6d-a082-d7edfa04fd2f.png)

net-sec-controls-sec350/labs/week02/Lab2.2-syslog-organization.md

@@ -0,0 +1,66 @@
+# Lab 2.2 - Syslog Organization on log01
+
+## setup mgmt01
+- on LAN
+- ip: 172.16.150.10
+- DG & DNS: 172.16.150.2
+
+### configure fw01 with the LAN
+#### NAT rules on fw01, to set NAT for LAN to WAN
+```
+set nat source rule 20 description "NAT FROM LAN to WAN"
+set nat source rule 20 outbound-interface eth0
+set nat source rule 20 source address 172.16.150.0/24
+set nat source rule 20 translation address masquerade
+```
+#### DNS forwarding from LAN to WAN
+```
+set service dns forwarding listen-address 172.16.150.2
+set service dns forwarding allow-from 172.16.150.0/24
+```
+mgmt01 should now be able to ping google.com
+
+### Install chrome remote desktop on mgmt01
+- open chrome
+- sign in with school email and turn on sync
+- go to remotedesktop.google.com, install the app if you want
+- on main host (laptop, go to `https://g.co/crd/headless`), download and install the package: 
+  - there might be dependency issues, this command worked on my computer: `sudo apt install libutempter0 xbase-clients xserver-xorg-video-dummy xvfb`
+  - `sudo dpkg -i google-chrome-stable_current_amd64`
+- still on main host, click next and copy the command for the remote OS (in our case, debian)
+- paste it in the remote terminal, and create a PIN
+- at this point you should be able to access mgmt01 via chrome remote desktop, you might need to update CRD on mgmt01 first though, but we know how to do that ^
+- IMPORTANT: log out of the remote computer before attempting to connect
+
+## log organization on log01
+Having all of our remote logs stuffed into log01's  /var/log/messages or /var/log/secure is not helpful. Remote logs should be segregated and ideally stored on reliable and redundant storage in a manner that supports dealing with discrete event types. We are going to store logs in a directory hierarchy in order to provide this organization.
+
+- re-comment the input modules from lab 1.1
+![image](../../../assets/a51c6beb-41a7-4885-a285-61885f073995.png)
+- create a new config file call sec350.conf:
+![image](../../../assets/c12ab0af-4ef2-4904-9ede-9d4d96a65122.png)
+- copy that file to /etc/rsyslod.d/: `sudo cp sec350.conf /etc/rsyslog.d/`
+
+```
+This configuration file (03-sec350.conf) will dynamically create and name files based upon hostname,
+date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn
+uses the dynamic template configuration called “DynFile”.
+``` 
+testing \
+![image](../../../assets/37f2c335-0611-42c9-962a-62a4681eeae5.png)
+![image](../../../assets/3b863e99-1ae4-4d29-91cb-1a3b187aab5f.png)
+
+## web01: Logging Authorization Events
+Modify the rsyslog client configuration on web01 so that authentication events are forwarded to our log server. the line `authpriv.* @172.16.50.5` will send all authpriv logs to the remote server(log01)
+![image](../../../assets/59be1bd2-d915-4360-9595-f0d32d68e030.png) \
+after sshing from rw01>web01(with failed attempts), we can see this in the sshd.log file \
+![image](../../../assets/f45b745c-6aff-4cd6-86dd-0ddb13256267.png)
+
+## fw01: Logging Authorization Events
+We are going to adjust the vyos configuration to send authentication messages from fw01 to log01.  Note, vyos does produce a ton of useless authentication messages which we are going to have to deal with at some point.
+- first, [change the default password](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/week01/vyos.md#change-password) : `set system login user vyos authentication plaintext-password password123!`
+- `set system syslog host 172.16.50.5 facility authpriv level info` \
+![image](../../../assets/57d3e4d5-2d74-45c7-91e1-7e0066bcaf10.png) \
+![image](../../../assets/26d035b6-8587-4277-ac33-3b4824459cc8.png)
+
+

net-sec-controls-sec350/labs/week02/centOS_repo_fix.md

@@ -0,0 +1,7 @@
+# CentOS Repo Fix
+They changed the URLs for the repos for CentOS. to fix, change the repos in yum's config:
+```
+sudo sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/CentOS-*.repo
+sudo sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/CentOS-*.repo
+sudo sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/CentOS-*.repo
+```