Initial check in of 10-tech-lab.adoc.#89
Conversation
CharlesTBetz
left a comment
CharlesTBetz
left a comment
There was a problem hiding this comment.
Number of things I need you to address before I can accept this in lieu of final.
|
|
||
| === Getting started | ||
|
|
||
| Start up a Virtual Machine, login to your personal server, perform an update and install lynis. |
There was a problem hiding this comment.
please mention via Google cloud console
There was a problem hiding this comment.
OK. Do you want me to show how to create a VM in the Google Cloud Console? Do you want me to refer to Lab 01 if students can't remember how to create a VM from the command line?
| === Getting started | ||
|
|
||
| Start up a Virtual Machine, login to your personal server, perform an update and install lynis. | ||
| Lynis will not be installed in the directory you are currently in. Use the 'find' command to determine where it was installed. |
There was a problem hiding this comment.
At this point, they have not tried to install Lynis, so a search will not find anything.
|
|
||
| Start up a Virtual Machine, login to your personal server, perform an update and install lynis. | ||
| Lynis will not be installed in the directory you are currently in. Use the 'find' command to determine where it was installed. | ||
| Once you know where it got downloaded, run 'audit system' with the --quick option (don't wait for user input). Lynis will generate hundreds |
| Start up a Virtual Machine, login to your personal server, perform an update and install lynis. | ||
| Lynis will not be installed in the directory you are currently in. Use the 'find' command to determine where it was installed. | ||
| Once you know where it got downloaded, run 'audit system' with the --quick option (don't wait for user input). Lynis will generate hundreds | ||
| of findings that will scroll off your display. Redirect the lynis output to a file, e.g. lynis_out, so you can view it later. |
There was a problem hiding this comment.
provide an example with a > redirect operator
There was a problem hiding this comment.
Made command clearer.
| https://cisofy.com/controls/AUTH-9286/ | ||
| .... | ||
|
|
||
| Let's fix the minium and maxium password age issue in login.defs. |
There was a problem hiding this comment.
Did you validate that this was an issue on the current default Google VM? And the fix is still relevant?
There was a problem hiding this comment.
This issue is still relevant along with the fix. Do you want me to add an image of the before and after result?
| * Create a new VM and run the vulnerability scanner. | ||
| * Save the output to a text file, named "initial-output.log" | ||
| * Run the necessary commands to fix the vulnerability. | ||
| * Put them into a shell script. |
There was a problem hiding this comment.
I would like them to create a hardened Packer image for extra credit.
There was a problem hiding this comment.
I added the comment, you'll have to review and let me know if I worded it the way you want.
| (if time) | ||
|
|
||
| When you have reflected enough on the Java deserialization vulnerability and the implications of that article, move on to a Web vulnerability. We will install | ||
| Java and apache2 on your VM. (Don't try to install these on the main server; you won't be able to.) |
There was a problem hiding this comment.
We don't use a "main server" anymore. That's the kind of thing I need cleaned up.
There was a problem hiding this comment.
they can use the same VM, mention this.
|
|
||
| NOTE: You will get raw XML dumped to the terminal. You can cut and paste this to an *.xml document on your workstation and open it with a browser for an easier view. | ||
|
|
||
| === Optional ITSM process |
There was a problem hiding this comment.
the ITSM section should reference JIra SD not ITOP.
|
|
||
| === ZAP | ||
| https://github.com/zaproxy/zaproxy | ||
| https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf |
|
|
||
|
|
||
| == Tools | ||
| The following tools were evaluated as part of developing this lab. |
There was a problem hiding this comment.
Validate that all these links still work- please
There was a problem hiding this comment.
The links worked, but point to outdated material. I removed most of them.
2 participants
Ported in and updated 10-tech-lab.adoc from the dm-academy/aitm-labs repository.