From lance at osuosl.org Mon Jan 3 21:25:25 2022 From: lance at osuosl.org (Lance Albertson) Date: Mon, 3 Jan 2022 13:25:25 -0800 Subject: [ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken. In-Reply-To: <3CFAF3F2-157B-B940-BF77-8DF50AFAF1F4@hxcore.ol> References: <001b01d7e06f$013744f0$03a5ced0$@xs4all.nl> <3CFAF3F2-157B-B940-BF77-8DF50AFAF1F4@hxcore.ol> Message-ID: Happy New Year! Attached is the latest report. It looks like p8-java1-adopt7 p8-java1-adopt8 has several things that need to be addressed among other hosts. Can you please look into these and get back to me? Thanks- On Wed, Dec 22, 2021 at 1:48 PM Michael Felt wrote: > I thought it had been merged. I ll get an update on the holdup tomorrow. > > Get Outlook for iOS > > ------------------------------ > *From:* Lance Albertson > *Sent:* Wednesday, December 22, 2021 7:03 PM > *To:* Michael Felt > *Cc:* ibm-aix-ibmi-hosting at osuosl.org > *Subject:* Re: [ibm-aix-ibmi-hosting] Recurring security scans - and > actions to be taken. > > > > On Wed, Dec 22, 2021 at 2:45 AM Michael Felt > wrote: > >> The first two lines, and last line were from a hung process (adopt02 and >> adopt04, adopt05) - a process to test connections with X11 frame based >> (Xfb) functionality. It is an empty process - other than accepting >> connections (afaik). These are not suppossed to happen (the jenkins ci >> scripts are suppossed to detect these stray processes at both start and >> finish). >> > Is this PR [1] still related to this? If so, it should get merged in soon. > > [1] https://github.com/adoptium/aqa-tests/pull/2831 > >> The systems adopt07 and adopt08 are new installs - and the first to be >> testing jdk17 builds. Not sure what else is going on, but I'll look into >> that later. >> >> Likewise, the ibm0X systems are new installs. I'll ask someone from IBM >> to take a look at the report. (@sej aka Sarah Jackson). >> > Is there something you can add to your new installation procedure to > ensure all of these services are disabled/off? This keeps happening and > it'd be nice if they were clean right off the bat. > >> Also, Sarah - are you and others using these systems subscribed to this >> mailing list? If not, please contact me directly to get that setup. >> > I just added Sarah. Please let me know who else should be on the list that > you've recently created new LPARs for. > >> Healthy Holidays Everyone!! >> >> Michael >> > You as well! > > -- > Lance Albertson > Director > Oregon State University | Open Source Lab > -- Lance Albertson Director Oregon State University | Open Source Lab -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: aix-2022-01-02.csv Type: text/csv Size: 17578 bytes Desc: not available URL: From aixtools at felt.demon.nl Tue Jan 4 10:35:45 2022 From: aixtools at felt.demon.nl (Michael Felt) Date: Tue, 4 Jan 2022 11:35:45 +0100 Subject: [ibm-aix-ibmi-hosting] Fwd: Recurring security scans - and actions to be taken. In-Reply-To: <81795e35-1822-cb14-f50e-7fc4fb943b6a@felt.demon.nl> References: <81795e35-1822-cb14-f50e-7fc4fb943b6a@felt.demon.nl> Message-ID: <2f2fad5a-207e-999c-2e6b-a8954c040afa@felt.demon.nl> The issues 1 through 4 have been addressed. -------- Forwarded Message -------- Content-Type: multipart/alternative; boundary="------------xkeHFDGdpIa5a4IiAL58hmQG" Message-ID: <81795e35-1822-cb14-f50e-7fc4fb943b6a at felt.demon.nl> Date: Tue, 4 Jan 2022 11:00:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Subject: Re: [ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken. Content-Language: en-US To: Lance Albertson References: <001b01d7e06f$013744f0$03a5ced0$@xs4all.nl> <3CFAF3F2-157B-B940-BF77-8DF50AFAF1F4 at hxcore.ol> From: Michael Felt In-Reply-To: 1) All the lines with X server detection - shouldn't be there, as there (should) have been patches applied to not even open port 6000 (externally). And, there (should) have been patches applied to scan for hung X11 processes and kill them both before and after a jenkins run. This seems to show they (the patches) are either not applied, or not working. 2) The SSL certificates issue - that is some default software being installed to support the defunct Director software. I'll look into getting something added to the ansible playbooks to remove that software, if installed. I'll remove it manually from these systems (adopt07|08). 3) The issues with rexecd and telnet - should have been fixed already (I thought I had disabled inetd). There is a PR for the playbooks to do this automatically. 4) re: ntp - this had been addresses in the installation scripts - so I'll have to find out why (probably in ansible playbook) that 'corrects' the settings to something incorrect. 5) the 'golang' httpd version is something those administrators will need to address on their own. On 03/01/2022 22:25, Lance Albertson wrote: > Happy New Year! > > Attached is the latest report. It looks like p8-java1-adopt7 > p8-java1-adopt8 has several things that need to be addressed among > other hosts. > > Can you please look into these and get?back to me? > > Thanks- > > On Wed, Dec 22, 2021 at 1:48 PM Michael Felt > wrote: > > I thought it had been merged. I ll get an update on the holdup > tomorrow. > > Get Outlook for iOS > ------------------------------------------------------------------------ > *From:* Lance Albertson > *Sent:* Wednesday, December 22, 2021 7:03 PM > *To:* Michael Felt > *Cc:* ibm-aix-ibmi-hosting at osuosl.org > *Subject:* Re: [ibm-aix-ibmi-hosting] Recurring security scans - > and actions to be taken. > > > On Wed, Dec 22, 2021 at 2:45 AM Michael Felt > wrote: > > The first two lines, and last line were from a hung process > (adopt02 and adopt04, adopt05) - a process to test connections > with X11 frame based (Xfb) functionality. It is an empty > process - other than accepting connections (afaik). These are > not suppossed to happen (the jenkins ci scripts are suppossed > to detect these stray processes at both start and finish). > > Is this PR [1] still related to this? If so, it should get merged > in soon. > > [1] https://github.com/adoptium/aqa-tests/pull/2831 > > The systems adopt07 and adopt08 are new installs - and the > first to be testing jdk17 builds. Not sure what else is going > on, but I'll look into that later. > > Likewise, the ibm0X systems are new installs. I'll ask someone > from IBM to take a look at the report. (@sej aka Sarah Jackson). > > Is there something you can add to your new installation procedure > to ensure all of these services are disabled/off? This keeps > happening and it'd be nice if they were clean right off the bat. > > Also, Sarah - are you and others using these systems > subscribed to this mailing list? If not, please contact me > directly to get that setup. > > I just added Sarah. Please let me know who else should be on the > list that you've recently created new LPARs for. > > Healthy Holidays Everyone!! > > Michael > > You as well! > > -- > Lance Albertson > Director > Oregon State University | Open Source Lab > > > > -- > Lance Albertson > Director > Oregon State University | Open Source Lab -------------- next part -------------- An HTML attachment was scrubbed... URL: From lance at osuosl.org Wed Jan 5 00:05:01 2022 From: lance at osuosl.org (Lance Albertson) Date: Tue, 4 Jan 2022 16:05:01 -0800 Subject: [ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken. In-Reply-To: <2f2fad5a-207e-999c-2e6b-a8954c040afa@felt.demon.nl> References: <81795e35-1822-cb14-f50e-7fc4fb943b6a@felt.demon.nl> <2f2fad5a-207e-999c-2e6b-a8954c040afa@felt.demon.nl> Message-ID: On Tue, Jan 4, 2022 at 2:35 AM Michael Felt wrote: > The issues 1 through 4 have been addressed. > Excellent! I'll check when we get next week's report. Thanks for looking into this again. > 1) All the lines with X server detection - shouldn't be there, as there > (should) have been patches applied to not even open port 6000 (externally). > > And, there (should) have been patches applied to scan for hung X11 > processes and kill them both before and after a jenkins run. > > This seems to show they (the patches) are either not applied, or not > working. > > 2) The SSL certificates issue - that is some default software being > installed to support the defunct Director software. I'll look into getting > something added to the ansible playbooks to remove that software, if > installed. I'll remove it manually from these systems (adopt07|08). > > 3) The issues with rexecd and telnet - should have been fixed already (I > thought I had disabled inetd). There is a PR for the playbooks to do this > automatically. > > 4) re: ntp - this had been addresses in the installation scripts - so I'll > have to find out why (probably in ansible playbook) that 'corrects' the > settings to something incorrect. > > 5) the 'golang' httpd version is something those administrators will need > to address on their own. > -- Lance Albertson Director Oregon State University | Open Source Lab -------------- next part -------------- An HTML attachment was scrubbed... URL: From aixtools at felt.demon.nl Wed Jan 5 08:06:16 2022 From: aixtools at felt.demon.nl (Michael Felt) Date: Wed, 5 Jan 2022 09:06:16 +0100 Subject: [ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken. In-Reply-To: References: <81795e35-1822-cb14-f50e-7fc4fb943b6a@felt.demon.nl> <2f2fad5a-207e-999c-2e6b-a8954c040afa@felt.demon.nl> Message-ID: <00eb01d8020b$1d8daeb0$58a90c10$@felt.demon.nl> The issues with the X11 server ? I cannot guarantee will be gone. But if they show up again I?ll open some new issues on the adoptium testing githhb portal, and establish what is/is not there and/or working as expected. From: Lance Albertson Sent: Wednesday, 5 January 2022 01:05 To: Michael Felt Cc: ibm-aix-ibmi-hosting at osuosl.org Subject: Re: [ibm-aix-ibmi-hosting] Recurring security scans - and actions to be taken. On Tue, Jan 4, 2022 at 2:35 AM Michael Felt > wrote: The issues 1 through 4 have been addressed. Excellent! I'll check when we get next week's report. Thanks for looking into this again. 1) All the lines with X server detection - shouldn't be there, as there (should) have been patches applied to not even open port 6000 (externally). And, there (should) have been patches applied to scan for hung X11 processes and kill them both before and after a jenkins run. This seems to show they (the patches) are either not applied, or not working. 2) The SSL certificates issue - that is some default software being installed to support the defunct Director software. I'll look into getting something added to the ansible playbooks to remove that software, if installed. I'll remove it manually from these systems (adopt07|08). 3) The issues with rexecd and telnet - should have been fixed already (I thought I had disabled inetd). There is a PR for the playbooks to do this automatically. 4) re: ntp - this had been addresses in the installation scripts - so I'll have to find out why (probably in ansible playbook) that 'corrects' the settings to something incorrect. 5) the 'golang' httpd version is something those administrators will need to address on their own. -- Lance Albertson Director Oregon State University | Open Source Lab -------------- next part -------------- An HTML attachment was scrubbed... URL: