#security (2018-09)

Archive: https://archive.sweetops.com/security/

2018-09-26

Max Moon avatar
Max Moon
genuinetools/bane

Custom & better AppArmor profile generator for Docker containers. - genuinetools/bane

2018-09-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Single Sign-On for Internal Apps in Kubernetes using Google Oauth / SSO attachment image

NOTE: This guide is geared towards a Kubernetes cluster running in AWS. You might have to tweak things to fit your needs.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Looks like an alternative to the bitly oauth2 proxy which is unmaintained

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But this one seems pretty tightly coupled to google

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
jenkins-x/sso-operator

Single Sign-On Kubernetes operator for Dex identity provider - jenkins-x/sso-operator

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Proposal for Official Fork · Issue #628 · bitly/oauth2_proxy

Hi, As everyone here can see, the project is almost abandoned. I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the com…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Igor Rodionov the bitly oauth2 proxy Is officially abandoned by bitly and will be archived by the end of the month

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
[stable/oauth2-proxy] Deprecates oauth2-proxy by compleatang · Pull Request #7454 · helm/charts

Upstream for this project (which has not worked in ages against anything close to a current implementation of ingress controllers) has been abandoned. See bitly/oauth2_proxy#628 (comment) My compan…

Igor Rodionov avatar
Igor Rodionov
09:42:41 PM

@Igor Rodionov has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Max Moon should probably consider replacing oauth2 proxy with CloudFlare access

Max Moon avatar
Max Moon
09:51:13 PM

@Max Moon has joined the channel

2018-09-19

2018-09-18

2018-09-17

2018-09-12

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@justin.dynamicd have you used this? https://www.vaultproject.io/docs/secrets/ssh/

Dynamic SSH Keys - SSH - Secrets Engines - Vault by HashiCorp attachment image

When using this type, the administrator registers a secret key with appropriate sudo privileges on the remote machines. For every authorized credential request, Vault creates a new SSH key pair and appends the newly-generated public key to the authorized_keys file for the configured username on the remote host. Vault uses a configurable install script to achieve this.

justin.dynamicd avatar
justin.dynamicd

It’s been deprecated, so I ended up using SSHCA instead.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea sorry linked to wrong page

justin.dynamicd avatar
justin.dynamicd

It’s cleaner too, because you’re not constantly shedding keys to the target servers; they just trust the vault CA sand vault gives out short lived certs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea like with teleport and Netflix bless

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

How long have you been using it?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Was it easy to get up and running?

justin.dynamicd avatar
justin.dynamicd

At that time we had Puppet pushing changes so adding the cert wasnt too bad… Ansible would have been just as easy

justin.dynamicd avatar
justin.dynamicd

That’s the hardest part: pushing the trusted public to all your machines

justin.dynamicd avatar
justin.dynamicd

Are you redeploying? Do you have some kind of cfg management? Etc.

justin.dynamicd avatar
justin.dynamicd

Security had a big requirement if no self-signed so I had to follow extra steps to make vault an issuing CA and not a root. But that’s a one time thing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No, our case is a bit different. Would be containers.

justin.dynamicd avatar
justin.dynamicd

Ssh into containers?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But I think we will stick with teleport approach

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Bastions are deployed as containers

justin.dynamicd avatar
justin.dynamicd

In your case rebuild lol. But yeah, didn’t try it on containers (should work just fine)

justin.dynamicd avatar
justin.dynamicd

Does teleport track logins? That was the thing or security team liked. It logged every access request

justin.dynamicd avatar
justin.dynamicd

“jking requested a cert for the next 1hour for target y”

loren avatar
loren

this was just released, but may not help with containers, https://aws.amazon.com/blogs/aws/new-session-manager

loren avatar
loren

but it does track and audit the logins and commands

justin.dynamicd avatar
justin.dynamicd

Just tried using that today… But our ssmagent is too old.

justin.dynamicd avatar
justin.dynamicd

Looks nice though

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s cool. Didn’t see the announcement.

justin.dynamicd avatar
justin.dynamicd

In the containers I had (company actually moved off them) we tried to just parse logs and redeploy. Bastions were traditional hosts

justin.dynamicd avatar
justin.dynamicd

Yeah, I think a ssmagent update is in the backlog. If it works like Azure then it will be nice to be able to disable ssh

loren avatar
loren

New release enabling the ssm session manager, https://github.com/aws/amazon-ssm-agent/releases/tag/2.3.50.0

aws/amazon-ssm-agent

Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent

:--1:5
sarkis avatar
sarkis

Late to this… Looks interesting, I can’t think of use cases though. I gravitate more towards immutable infra these days so I can’t think of a reason I’d want to run a command on an ec2 instance , I’m prob not thinking hard enough!

aws/amazon-ssm-agent

Agent to enable remote management of your Amazon EC2 instance configuration. - aws/amazon-ssm-agent

loren avatar
loren

i gravitate there also… but sometimes it takes a while to get the immutable bits all just right, and maybe the instrumentation isn’t perfected yet. can be pretty valuable to poke around to see what failed and maybe try a couple options at fixing, before patching upstream

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, for triaging/RCA, it’s difficult to escape

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that said, teleport is still a better product IMO b/c it supports session logs

loren avatar
loren

my understanding was that this also captured the session, stored in cloudwatch logs?

loren avatar
loren

from the blog post:
Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.
https://aws.amazon.com/blogs/aws/new-session-manager

:--1:1
loren avatar
loren

is a session log something different in teleport?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No, that’s the same hung. i missed that. I thought it was slated as a later feature.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I wonder how it works if it is a raw log

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

E.g. replaying a vim transcript.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

With teleport, you get a YouTube style playback

loren avatar
loren

looks like a textual log, not a video, according to screenshots later in that blog… not sure how it would work with vim

2018-09-11

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Surprised it’s not enabled by default

tamsky avatar
tamsky

is lol an appropriate response?

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, it is. Surprised me too.

2018-09-07

endofcake avatar
endofcake
09:30:04 PM

@endofcake has joined the channel

2018-09-02

mbarrien avatar
mbarrien
07:32:11 AM

@mbarrien has joined the channel

    keyboard_arrow_up