coelner/gedankensplitter
1
0
Fork 0
Code Pull Requests Releases Activity

proxmox

Browse Source
This commit is contained in:
coelner 2022-07-28 17:17:20 +02:00
parent b0e4cc28d7
commit dc6e6c9f08
2 changed files with 424 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
linux_hardening.md
View File

@ -49,8 +49,8 @@ block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
- [ ] complete header backup
- [ ] block device sector size
- [ ] block device support for SCT/ERC `smartctl -l scterc /dev/sdX`
- [ ] Block device support for write-verify `smartctl -R1 /dev/sdX`
- [ ] blcok device support ``hdparm --dco-identify /dev/sdX`
- [ ] Block device support for write-verify `smartctl -r1 /dev/sdX`
- [ ] block device support ``hdparm --dco-identify /dev/sdX`
Western Digital Time Limited Error Recovery (TLER)
Seagate Error Recovery Control (ERC)
@ -80,6 +80,22 @@ SCT capabilities: (0x003f) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.
hdparm --dco-identify /dev/sda
/dev/sda:
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 18446744072344861488
ATA command/feature sets:
SMART self_test error_log security PUIS AAM HPA 48_bit
selective_test
WRITE_UNC_EXT
SATA command/feature sets:
NCQ interface_power_management SSP
```
Lenovo S440 HDD
@ -103,6 +119,225 @@ SMART support is: Enabled
sudo smartctl -a /dev/sda | grep SCT
SCT capabilities: (0x1081) SCT Status supported.
hdparm --dco-identify /dev/sda
/dev/sda:
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 976773168
ATA command/feature sets:
SMART self_test error_log security PUIS HPA
selective_test conveyance_test
WRITE_UNC_EXT
SATA command/feature sets:
interface_power_management SSP
hdparm -I /dev/sda
/dev/sda:
ATA device, with non-removable media
Model Number: ST500LM000-SSHD-8GB
Serial Number: W762L1TL
Firmware Revision: LIV5
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Used: unknown (minor revision code 0x001f)
Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical max current
cylinders 16383 16383
heads 15 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 976773168
Logical Sector size: 512 bytes
Physical Sector size: 4096 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 476940 MBytes
device size with M = 1000*1000: 500107 MBytes (500 GB)
cache/buffer size = unknown
Form Factor: 2.5 inch
Nominal Media Rotation Rate: 5400
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: disabled
Recommended acoustic management value: 254, current value: 0
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* DOWNLOAD_MICROCODE
Advanced Power Management feature set
Power-Up In Standby feature set
* SET_FEATURES required to spinup after power up
SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* 64-bit World wide name
* IDLE_IMMEDIATE with UNLOAD
* Write-Read-Verify feature set
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Gen3 signaling speed (6.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Idle-Unload when NCQ is active
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
* DMA Setup Auto-Activate optimization
* Device-initiated interface power management
* Software settings preservation
* SMART Command Transport (SCT) feature set
unknown 206[7]
unknown 206[12] (vendor specific)
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000c5007cb8f1cc
NAA : 5
IEEE OUI : 000c50
Unique ID : 07cb8f1cc
Checksum: correct
```
m.s SATA SSD
```
ATA device, with non-removable media
Model Number: TS256GMTS430S
Serial Number: F129080156
Firmware Revision: S0423A
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Supported: 9 8 7 6 5
Likely used: 9
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 500118192
Logical Sector size: 512 bytes
Physical Sector size: 512 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 244198 MBytes
device size with M = 1000*1000: 256060 MBytes (256 GB)
cache/buffer size = unknown
Nominal Media Rotation Rate: Solid State Device
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 2 Current = 1
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
SET_MAX security extension
* 48-bit Address feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* 64-bit World wide name
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* unknown 119[6]
unknown 119[9]
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Gen3 signaling speed (6.0Gb/s)
* Native Command Queueing (NCQ)
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
* DMA Setup Auto-Activate optimization
* Software settings preservation
* SANITIZE feature set
* BLOCK_ERASE_EXT command
* DOWNLOAD MICROCODE DMA command
* WRITE BUFFER DMA command
* READ BUFFER DMA command
* Data Set Management TRIM supported (limit 8 blocks)
* Deterministic read ZEROs after TRIM
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 57c354816d52575c
NAA : 5
IEEE OUI : 7c3548
Unique ID : 16d52575c
Checksum: correct
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 500118192
ATA command/feature sets:
SMART security HPA 48_bit
FUA selective_test conveyance_test
SATA command/feature sets:
NCQ interface_power_management async_notification SSP
```
```
Model Family: Toshiba 2.5" HDD MQ01ABD...
@ -127,6 +362,115 @@ Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
hdparm --dco-identify /dev/sda
/dev/sda:
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DCO Checksum verified.
DCO Revision: 0x0000 -- unknown, treating as 0002
The following features can be selectively disabled via DCO:
Transfer modes:
Real max sectors: 1
ATA command/feature sets:
hdparm -I /dev/sda
/dev/sda:
ATA device, with non-removable media
Model Number: TOSHIBA HDWJ110
Serial Number: 81KZTN3TT
Firmware Revision: AX1T1A
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6
Standards:
Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 1953525168
Logical Sector size: 512 bytes
Physical Sector size: 4096 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 953869 MBytes
device size with M = 1000*1000: 1000204 MBytes (1000 GB)
cache/buffer size = 8192 KBytes
Form Factor: 2.5 inch
Nominal Media Rotation Rate: 5400
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: 254
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
* Advanced Power Management feature set
Power-Up In Standby feature set
* SET_FEATURES required to spinup after power up
SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* 64-bit World wide name
* IDLE_IMMEDIATE with UNLOAD
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Idle-Unload when NCQ is active
* DMA Setup Auto-Activate optimization
* Device-initiated interface power management
* Software settings preservation
* SMART Command Transport (SCT) feature set
* SCT Write Same (AC2)
* SCT Error Recovery Control (AC3)
* SCT Features Control (AC4)
* SCT Data Tables (AC5)
* DOWNLOAD MICROCODE DMA command
Security:
Master password revision code = 65534
supported
not enabled
not locked
frozen
not expired: security count
supported: enhanced erase
218min for SECURITY ERASE UNIT. 218min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000039af21081db
NAA : 5
IEEE OUI : 000039
Unique ID : af21081db
Checksum: correct
```
```

78
proxmox.md Normal file
View File

@ -0,0 +1,78 @@
## Proxmox
### packages
tmux, powertop,htop, cryptsetup,vim
### 0-prepare
```
cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1693983 iterations per second for 256-bit key
PBKDF2-sha256 3021832 iterations per second for 256-bit key
PBKDF2-sha512 1325633 iterations per second for 256-bit key
PBKDF2-ripemd160 754371 iterations per second for 256-bit key
PBKDF2-whirlpool 595105 iterations per second for 256-bit key
argon2i 6 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 6 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1090.7 MiB/s 3409.7 MiB/s
serpent-cbc 128b 103.7 MiB/s 379.6 MiB/s
twofish-cbc 128b 215.8 MiB/s 389.4 MiB/s
aes-cbc 256b 851.0 MiB/s 2905.0 MiB/s
serpent-cbc 256b 106.6 MiB/s 378.1 MiB/s
twofish-cbc 256b 221.1 MiB/s 385.7 MiB/s
aes-xts 256b 2801.2 MiB/s 2827.7 MiB/s
serpent-xts 256b 349.7 MiB/s 351.8 MiB/s
twofish-xts 256b 352.7 MiB/s 359.3 MiB/s
aes-xts 512b 2391.9 MiB/s 2392.0 MiB/s
serpent-xts 512b 352.8 MiB/s 342.3 MiB/s
twofish-xts 512b 358.6 MiB/s 359.6 MiB/s
root@pve:~#
```
####
1. create dm-integrity
skipped: https://btrfs.readthedocs.io/en/latest/Tree-checker.html
1. create GPT partition
- first sector: 2048
- last sector: end
- uuid: 8300
3. create btrfs raid-1
```
mkfs.btrfs --csum xxhash -d raid1 /dev/sda /dev/sdb
Label: (null)
UUID: 8d65854a-6be3-45de-81dd-cadbd9f49892
Node size: 16384
Sector size: 4096
Filesystem size: 1.82TiB
Block group profiles:
Data: RAID1 1.00GiB
Metadata: RAID1 1.00GiB
System: RAID1 8.00MiB
SSD detected: no
Zoned device: no
Incompat features: extref, skinny-metadata, no-holes
Runtime features: free-space-tree
Checksum: xxhash64
Number of devices: 2
Devices:
ID SIZE PATH
1 931.51GiB /dev/sda1
2 931.51GiB /dev/sdb1
```
5. create mounttarget folder and create fstab entry
```
lsblk -o uuid,name
UUID NAME
sda
8d65854a-6be3-45de-81dd-cadbd9f49892 └─sda1
sdb
8d65854a-6be3-45de-81dd-cadbd9f49892 └─sdb1
UUID=8d65854a-6be3-45de-81dd-cadbd9f49892 /mnt/slowStorage btrfs defaults,rw 0 1
```
6. Create under Rechenzentrum->Storage->Hinzufügen->BTRFS
7. update templates: `pveam update`
### ToDo
https://wiki.postgresql.org/wiki/Transparent_Data_Encryption