#security (2018-09)
Archive: https://archive.sweetops.com/security/
2018-09-02
@mbarrien has joined the channel
2018-09-07
@endofcake has joined the channel
2018-09-11
Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks
Surprised it’s not enabled by default
Yea, it is. Surprised me too.
2018-09-12
@justin.dynamicd have you used this? https://www.vaultproject.io/docs/secrets/ssh/
It’s been deprecated, so I ended up using SSHCA instead.
Yea sorry linked to wrong page
It’s cleaner too, because you’re not constantly shedding keys to the target servers; they just trust the vault CA sand vault gives out short lived certs
Yea like with teleport and Netflix bless
How long have you been using it?
Was it easy to get up and running?
At that time we had Puppet pushing changes so adding the cert wasnt too bad… Ansible would have been just as easy
That’s the hardest part: pushing the trusted public to all your machines
Are you redeploying? Do you have some kind of cfg management? Etc.
Security had a big requirement if no self-signed so I had to follow extra steps to make vault an issuing CA and not a root. But that’s a one time thing
No, our case is a bit different. Would be containers.
Ssh into containers?
But I think we will stick with teleport approach
Bastions are deployed as containers
In your case rebuild lol. But yeah, didn’t try it on containers (should work just fine)
Does teleport track logins? That was the thing or security team liked. It logged every access request
“jking requested a cert for the next 1hour for target y”
this was just released, but may not help with containers, https://aws.amazon.com/blogs/aws/new-session-manager
but it does track and audit the logins and commands
Just tried using that today… But our ssmagent is too old.
Looks nice though
That’s cool. Didn’t see the announcement.
In the containers I had (company actually moved off them) we tried to just parse logs and redeploy. Bastions were traditional hosts
Yeah, I think a ssmagent update is in the backlog. If it works like Azure then it will be nice to be able to disable ssh
New release enabling the ssm session manager, https://github.com/aws/amazon-ssm-agent/releases/tag/2.3.50.0
Late to this… Looks interesting, I can’t think of use cases though. I gravitate more towards immutable infra these days so I can’t think of a reason I’d want to run a command on an ec2 instance , I’m prob not thinking hard enough!
i gravitate there also… but sometimes it takes a while to get the immutable bits all just right, and maybe the instrumentation isn’t perfected yet. can be pretty valuable to poke around to see what failed and maybe try a couple options at fixing, before patching upstream
yea, for triaging/RCA, it’s difficult to escape
that said, teleport is still a better product IMO b/c it supports session logs
my understanding was that this also captured the session, stored in cloudwatch logs?
from the blog post:
Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.
https://aws.amazon.com/blogs/aws/new-session-manager
is a session log something different in teleport?
No, that’s the same hung. i missed that. I thought it was slated as a later feature.
I wonder how it works if it is a raw log
E.g. replaying a vim transcript.
With teleport, you get a YouTube style playback
looks like a textual log, not a video, according to screenshots later in that blog… not sure how it would work with vim
2018-09-17
2018-09-18
2018-09-19
2018-09-22
Looks like an alternative to the bitly oauth2 proxy which is unmaintained
But this one seems pretty tightly coupled to google
@Igor Rodionov the bitly oauth2 proxy Is officially abandoned by bitly and will be archived by the end of the month
@Igor Rodionov has joined the channel
@Max Moon should probably consider replacing oauth2 proxy with CloudFlare access
@Max Moon has joined the channel