[WiP] LS42
This commit is contained in:
parent
1f7276c5c3
commit
de35a55090
17
IncidentResponse.md
Normal file
17
IncidentResponse.md
Normal file
@ -0,0 +1,17 @@
|
||||
# Incident Response
|
||||
|
||||
## hashing and comparing
|
||||
### bloom-filter
|
||||
|
||||
## write/delete protection
|
||||
|
||||
## persistent /last entry
|
||||
|
||||
## hardening
|
||||
### systemd service file
|
||||
### apparmor profile
|
||||
|
||||
## last-line of defense
|
||||
|
||||
- open vsphere terminal with login
|
||||
- keep atleast on ssh session to each server up
|
@ -394,7 +394,7 @@ luci-ssl
|
||||
luci-theme-bootstrap
|
||||
luci-theme-material
|
||||
miniupnpd-nftables
|
||||
mosquitto-client-ssl
|
||||
mosquitto-ssl
|
||||
mtd
|
||||
netifd
|
||||
nftables-json
|
||||
|
14
proxmox.md
14
proxmox.md
@ -15,7 +15,7 @@ https://johnscs.com/remove-proxmox51-subscription-notice/
|
||||
=> breaks update
|
||||
|
||||
### packages
|
||||
tmux, powertop,htop, cryptsetup,vim, cpu-frequ-utils
|
||||
tmux, powertop,htop, cryptsetup,vim, cpu-frequ-utils,clevis
|
||||
|
||||
### 0-prepare
|
||||
```
|
||||
@ -43,7 +43,7 @@ argon2id 6 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bi
|
||||
twofish-xts 512b 358.6 MiB/s 359.6 MiB/s
|
||||
root@pve:~#
|
||||
```
|
||||
####
|
||||
#### file storage
|
||||
1. create dm-integrity
|
||||
skipped: https://btrfs.readthedocs.io/en/latest/Tree-checker.html
|
||||
2. create bcache with a spare ssd or optane flash
|
||||
@ -77,7 +77,6 @@ Devices:
|
||||
2 931.51GiB /dev/sdb1
|
||||
```
|
||||
5. create mounttarget folder and create fstab entry
|
||||
|
||||
```
|
||||
lsblk -o uuid,name
|
||||
UUID NAME
|
||||
@ -92,10 +91,10 @@ UUID=8d65854a-6be3-45de-81dd-cadbd9f49892 /mnt/slowStorage btrfs defaults,rw 0 1
|
||||
6. Create under Rechenzentrum->Storage->Hinzufügen->BTRFS
|
||||
7. update templates: `pveam update`
|
||||
|
||||
### ToDo
|
||||
### ToDo
|
||||
https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
|
||||
|
||||
### established services
|
||||
### established services
|
||||
1. homer
|
||||
2. NTP with NTS + GPS USB
|
||||
3. www-stack protection shadowd
|
||||
@ -110,12 +109,13 @@ UUID=8d65854a-6be3-45de-81dd-cadbd9f49892 /mnt/slowStorage btrfs defaults,rw 0 1
|
||||
12. backup target borg
|
||||
13. docker host
|
||||
* portainer
|
||||
15.
|
||||
|
||||
#### maybe
|
||||
#### maybe
|
||||
4. armbian build
|
||||
5. openwrt build
|
||||
|
||||
#### secureboot
|
||||
https://pve.proxmox.com/wiki/Secure_Boot_Setup
|
||||
|
||||
#### postgresql
|
||||
- use lxc
|
||||
|
@ -30,4 +30,8 @@ the kernel deploys the efi vars as sysfs entries. To manipulate those, the sbsig
|
||||
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
|
||||
|
||||
#### systemd
|
||||
- https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
|
||||
- https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
|
||||
|
||||
### omv
|
||||
install needed software:
|
||||
`apt install sbsigntool efibootmgr efitools uuid-runtime`
|
Loading…
Reference in New Issue
Block a user