@dbeato said in Zimbra 8.8 Has Released:

@stacksofplates said in Zimbra 8.8 Has Released:

@dbeato said in Zimbra 8.8 Has Released:

@stacksofplates said in Zimbra 8.8 Has Released:

@wirestyle22 said in Zimbra 8.8 Has Released:

@scottalanmiller said in Zimbra 8.8 Has Released:

Sadly the new interface that was supposed to be available in 8.8 didn't make it.

Yet another lesson for me to not wait for things and just install it now.

/sigh

Just do it in Vagrant to see what it’s like.

That's a name I have not heard in a while!

Ha I still use it all of the time.
My developers still use it, is just not a lot of people talk about it around in my case.

I build tests for my Ansible roles with it along with a Gitlab runner using Molecule and LXC.

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

It brought what to light? That the patches are failing?

The patches install correctly so it looks like everything is fine, but admins still have to go in and set registry entries. No one realized this because the patches install fine.

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Although Nessus should report that and NOT that they are not patched. Different things.

It may. I have no idea if that’s what is showing on his and I don’t see the reports for the Eindoes stuff in our environment I just know that was something those guys were complaining about and @irj said the same thing.

How do you build more than 10-20 systems without PXE? I think I’d just have to walk away.

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

could not legally fail because everything isn't static

Let me rephrase, since anything can happen.

They would have a huge ground to stand on since that is not a requirement mentioned anywhere from NIST.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Suggested does not mean that in any way.

You keep skipping the "requirement" portion coming from his own company. So suggested sure does mean that.

Show where that was stated.

It's the entire purpose of the thread.... to satisfy this one part of the audit. The thread itself is that this is required.

Nope. Was never stated as a requirement. Only that the auditor suggested it and his boss just went along with what they said. He came here to get information on what to do.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Suggested does not mean that in any way.

You keep skipping the "requirement" portion coming from his own company. So suggested sure does mean that.

Show where that was stated.

It's the entire purpose of the thread.... to satisfy this one part of the audit. The thread itself is that this is required.

Nope. Was never stated as a requirement. Only that the auditor suggested it and his boss just went along with what they said. He came here to get information on what to do.

I've not heard anything about the boss going along with anything. The boss wants it, I've not noticed anything about the boss wanting it because of the audit, not do I see how that matters. The auditor wants it, the boss wants it, the goal is to pass audit... what more do you need?

The boss obviously didn't care before the audit or it would have been that way. Then the audit happened. Now the boss is going along with the auditors suggestion.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

...people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

Here is more. Yes they would like other things, but their goal is passing the audit. And passing, here, requires following the suggestion.

So both the boss wants this done separately, and the goal passing the audit requires doing what the auditor suggests.

but it's been buried under the fluff of doing business and passing audits

Any my point was you can pass the audit without setting everything statically. It's not a requirement.

Given that the ONLY thing we know about the audit is that it suggests static for no reason other than that that is what they want, how can you say that?

It doesn't suggest static for no reason. It suggests static because they assume that stops people from plugging in and getting an address on the network. Again, it's a suggestion not a requirement.

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...

What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.

I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.

OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.

SCAP is the NIST stuff. OpenSCAP is the tool.

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...

What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.

I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.

OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.

SCAP is the NIST stuff. OpenSCAP is the tool.

You can also run NIST specific audits with nessus.

Well it does some things I “think” Nessus doesn’t. It will scan VMs without an agent or logging in from the hypervisor. OpenSCAP also has all of RHELs gardening rules baked in like sysctl configs and things like AIDE.

I've been spending time learning Go and here's a small utility I wrote that's similar to Python's SimpleHTTPServer.

package main

import (
	"log"
	"net/http"
	"os"
)

func main() {
	if len(os.Args) < 2 {
		log.Fatal("You must enter a path")
	}
	path := os.Args[1]

	http.Handle("/", http.FileServer(http.Dir(path)))
	http.ListenAndServe(":8000", nil)
}

This creates an HTTP server serving all of the files in the path you specify.

Just use this:

go run serve.go /etc

Or do go build serve.go and it will create a binary you can run.

Mine isn’t meant to be a full backup replacement. It’s a way to get full disk images once a week or so. I think most people that are using KVM are either using cloud infra or using state machines and agents when needed. I don’t think there is much of a demand for this type of backup solution.

However I firmly believe any org can use automation. It’s not just for large orgs. If I can do it for everything in my house, any size business can.

@dashrender said in KVM in Production - Build it yourself:

@stacksofplates said in KVM in Production - Build it yourself:

Mine isn’t meant to be a full backup replacement. It’s a way to get full disk images once a week or so. I think most people that are using KVM are either using cloud infra or using state machines and agents when needed. I don’t think there is much of a demand for this type of backup solution.

However I firmly believe any org can use automation. It’s not just for large orgs. If I can do it for everything in my house, any size business can.

So what do you do with your stateless data - like photos? video files, etc?

For home? Amazon. It’s automatically backed up there. I do have a bunch of music but that’s on one NFS VM that’s running CrashPlan. But like I said it’s one of the few that would require an agent.

I’ve never done it through Cockpit. I’ve always used either nmcli or nmtui to create everything. What do your ifcfg files look like for those interfaces?

I also usually just use macvtap. If I need host to guest communication I just set up a private network for them to communicate on.

Do the guests have network access if you give them a static address?

@jaredbusch said in Help me understand KVM Networking:

@stacksofplates said in Help me understand KVM Networking:

I also usually just use macvtap. If I need host to guest communication I just set up a private network for them to communicate on.

Well, I cannot think of a reason to require host to guest communication, except that I may want to connect from a guest to the host to update the ISO store I use occasionally.

Ya that's really the only advantage to a full bridge.

@wirestyle22 said in Help me understand KVM Networking:

@black3dynamite said in Help me understand KVM Networking:

@stacksofplates said in Help me understand KVM Networking:

Too bad ovs isnt in the repos for RHEL/CentOS. You can set up these private networks and connect them through a VXLAN with ovs. That way you can have something like a separate dev network on the same hosts and they can communicate between hosts.

Not available in the epel repo?

That is apparently the case unless my google--fu isn't up to snuff

Nope. It is available in Fedora though. If you want to install it you have to manually build the RPMs. While not hard to build it would be a pain to maintain updates.