Posts made by notverypunny

Damn, nobody else on here uses these guys?

@scottalanmiller said in Deploying firmware updates on servers and testing...:

@jimmy9008 said in Deploying firmware updates on servers and testing...:

My thoughts are that we cannot know if a server will develop an issue from a patch before doing the patch. But, they want a plan to know which to avoid.

You are correct. Unless you can identify what caused the issue you don't have anything to go on. How will you identify the issue unless you risk several more machines... probably more machines that you have in your total fleet?

Ask them how they expect you to determine something of this nature? If they aren't providing you with the proper testing equipment and timeline (which would be insane, this could easily cost hundreds of thousands of dollars) where do they expect you to produce this information from? You don't even know what you are looking for. Even if you get lucky and guess what it is, it's just a guess and you have no confidence in predicting if it will work or not.

Yeah, this sounds like a case of the bean-counters having unreasonable expectations. Best you can do is keep track of issues to identify machines that might be more problematic than others. Concrete example from my env is that we have a couple of machines that we know will fail to reboot cleanly about 40% of the time.... Have to pull power completely and then they'll boot.... (R730 or R730xd), apparently it's a not uncommon issue with that gen of Dell servers and the only fix is to swap the whole main-board. In my case they're up for replacement and out of warranty so we just make sure that someone's on-site when/if they need to be rebooted for updates / maintenance etc

@scottalanmiller said in Wazuh Setup:

ElasticSearch is no longer open. I won't touch them. Look at OpenSearch now instead.

Looks like they're already using elasticsearch-oss and opendistroforelasticsearch instead of the closed source stuff. https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/elasticsearch-cluster/elasticsearch-single-node-cluster.html#elasticsearch-single-node-cluster

Followed the step by step instructions and it worked like a charm.... only problems I ran into was in the elasticsearch tuning section. curl didn't want to work correctly with http so had to use https with the -k switch to deal with the self-signed certs.

For hardware / chassis management Dell's openmanage enterprise is pretty useful. I'd suggest giving it a look if you've got a big Dell footprint to look after. Should be available for download when you check for downloads with any recent service tag. If you can't find it let me know and I'll see if I can find a direct link.

Trying to use the docs here : https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/unattended/index.html

Just trying to roll out a 2 server setup (one manager, one elasticstack / kibana) and it doesn't get past the "Initializing Kibana" step, it just appears to stick in a loop or something with as many lines of progress dots in the console as I'll let run.....

I'm planning on using x.x.x.140 for the manager and x.x.x.141 for the elasticstack server.

In the config I'm using the 141 IP for <elasticsearch_ip> and <kibana_ip>, 140 for the <wazuh_master_server_IP>

When running

bash ~/elastic-stack-installation.sh -k -n <node_name>

I'm using the server's hostname as <node_name>

The instructions specify that node_name should be the same as used in the config.yml, but I don't have any references to that in the config.yml....

At this point I'm either missing something or losing my mind.... well honestly the options aren't mutually exclusive, but any info or help would be appreciated.

Just wondering if there are any FML users on here and if so, has anyone tried the 7.0 release yet?

Conventional wisdom with Forti-stuff is to wait out the first 3 or 4 patch releases before moving to production but 7.0 fixes a huge security blind-spot. https://www.reddit.com/r/fortinet/comments/ce0vm2/fortimail_skips_sfp_validation_for_safelisted/

https://thinlinx.com/

I haven't played with the signage mode but we've used it for kiosks with varying degrees of success.

@pete-s said in Bring order into IT environment in chaos:

@notverypunny @black3dynamite @gjacobse @EddieJennings

Thanks guys!

Are there any cloud software suitable to make the customer inventory/documentation in that would fit SMB price range?

It doesn't make sense for the customer to pay for a full fledged asset management solution with ticketing and every other possible module. But it makes sense to have the documentation in some central location.

Depends of course on your price range. Teclib does hosted glpi https://www.glpi-network.cloud/ pricing shows as 19 euro / tech / mth. Unless I missed something snipe is all manual entry whereas glpi does agent-based automatic inventory. Also has a KB, ticketing and financials baked in. GLPI stands for Gestionnaire Libre de Parc Informatique (roughly translated: Free Data Centre Manager). You could also run it on-prem, just requires a basic LAMP setup.

@pete-s said in Bring order into IT environment in chaos:

Faced with an working IT environment in chaos (undocumented, unpatched, where's the backups, what licenses are there, what warranties, vendors, what servers are in use, what apps etc, etc).

What steps would you take to get things in order as quickly as possible?

And in what order would you do it?

1- Figure out what your current state is

• Automated inventory / scan (glpi / lansweeper / openaudit etc...)
• Physical inventory to ensure that nothing in the automated inventory was missed

2- Establish priorities with the stakeholders, depending on what your inventory / audit finds.

• Prioritize what's needed to ensure that the business can continue, this doesn't always line up with what we as IT might want to have updated at first glance. (business can continue on W7, missing backups of an accounting suite could kill some small businesses)

@scottalanmiller said in FIM, FAAM, details & False Positives:

@notverypunny said in FIM, FAAM, details & False Positives:

but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

Wazuh and Greylog ARE off the shelf and in no way whatsoever "rolling your own." Rolling your own means assembling parts that don't do the job alone into a system that does do the job. Totally not what is happening here.

@scottalanmiller I hear you. But I also know what management is generally willing to go with as far as solutions... I'll almost always propose / suggest the open-source options if they make sense to me, but they rarely win out over the commercial products.

To come back around to my initial question, what I see is that the Audit Detailed File Share option is an all or nothing deal for the server, so having this activated for a specific department would require a dedicated fileserver, unless there's something that I've missed.

Windows environment:

Does anyone know of any solutions for File Integrity Monitoring and / or File Access Auditing and Monitoring that can differentiate between explorer.exe getting basic file info (example: for a detailed file view or checking file attributes) vs a user actually accessing the file contents.

I've done some digging and, it looks like the functionality was introduced in Server 2016 / W10 as the "Audit Detailed File Share" group policy option. The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR. Since we know the error code it generates it's reasonable to assume that something like Wazuh or Greylog could be setup to monitor for this event and alert based on it's contents, but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

@killmasta93 said in Bitlocker GPO automatic?:

Hi
I was wondering if someone else has accomplished on what im trying to do
i have GPO to automatic stores the keys in the AD when activated the bitlocker, but it seems that i have to do it manually, so i put a logon script bat with this

script.bat

Powershell.exe -ExecutionPolicy Bypass \\192.168.3.150\shares\publica\sistemas\enablebitlocker.ps1

But the for some odd reason im getting this popup which i would want it to run it silently or is there way to automatic say yes ?

Safety warningRun only the trusted scripts. Scripts from the Internet can be useful, but this script coulddamage your equipment. If you trust this script, use the Unblock-File cmdlet to allow it to run without this messagewarning. Do you want to run

this is the powershell script

$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}

Thank you

Just guessing here but maybe because you're calling it from a network location? Since you're doing this as a logon script, why not call the PS directly from the GPO? Or is my memory playing tricks on me again...

@fredtx
Good to hear

@dustinb3403 Honestly not sure. I haven't played with bitlocker beyond enabling it for our company machines and having to dig into AD to get the key when a machine won't boot and asks for it. I have a heathy skepticism with regards to microsoft's implementation of anything. They don't seem to be as bad as apple, but they tend to work best within their own ecosystem.

@fredtx said in How can I retrieve data from unbootable drive with Ubuntu Live?:

I've got a windows 10 machine that needs to be reloaded due to OS corruption (no hardware/disk failure). There is some files I need to retrieve, but can't seem to get them. I've tried using Hirens boot, and Ubuntu Live. In Ubuntu live, I can see the drive using the Gparted tool that is built-in Ubuntu, but I can't see it in Files aka ubuntu's version of file explorer. Maybe cause it's not mounted, I'm assuming? My next step is to plug it in my personal windows desktop, and see if I can retrieve from there. Just wanted to run it by the community real quick to see if there's an easy way to retrieve using Ubuntu Live, or any other tool.

If the drive or filesystem is bad you might be SOL... Grab a live USB of the distro with the most recent kernel you can find (in the hopes that it's got the necessary drivers) and see what it can detect / read. Good luck.

--EDIT --
If it's bitlocker encrypted it might be easier to pop the drive into another win10 machine to copy the data over (assuming that you have the bitlocker key somewhere)

@dustinb3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Good morning everyone!

It does look like it will be a good day

@jaredbusch said in Business number texting services:

@scottalanmiller said in Business number texting services:

@jaredbusch said in Business number texting services:

so @scottalanmiller going to fork over any information? Or should I just look at the other services that no one has recommended?

This is something that will be done for this client.

Working on getting some screenshots for you. Initial pricing is $12 for a deployment. No idea if that's going to be the full release pricing, but it's where we are right now for early adopters.

Still waiting on this.

Not to steal business away from Scott, but we're doing a PoC, moving from S4B to Zoom Phone... allows you to port your existing numbers and them use sms within Zoom

@jaredbusch said in Need a tool to share tasks with client staff:

@notverypunny said in Need a tool to share tasks with client staff:

Otherwise I could see spinning up a small nextcloud instance on DO or vultur if you wanted to fully control and manage it.

I don't want to maintain it, thus the question.

What about just shared lists in Google keep?

We've just started using clickup internally. Otherwise I could see spinning up a small nextcloud instance on DO or vultur if you wanted to fully control and manage it.