#security (2020-03)

Archive: https://archive.sweetops.com/security/

2020-03-27

Erik Osterman avatar
Erik Osterman

Adding @ bot

discourse_forum avatar
discourse_forum
10:06:35 PM

@ has joined the channel

2020-03-23

Maciek Strömich avatar
Maciek Strömich
CS253 - Web Security

Principles of web security. The fundamentals and state-of-the-art in web security. Attacks and countermeasures. Topics include: the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code. Course projects include writing security exploits, defending insecure web apps, and implementing emerging web standards.

2020-03-16

Erik Osterman avatar
Erik Osterman
How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

mumoshu avatar
mumoshu
07:45:56 PM

@mumoshu has joined the channel

Erik Osterman avatar
Erik Osterman

@Jeremy Grodberg on our team is also curious if we can do this?

mumoshu avatar
mumoshu

@Erik Osterman It isn’t possible today but seems easy to add support for. Could you expand more on your use-case(s) though?

https://github.com/mumoshu/aws-secret-operator/issues/22#issuecomment-599817070

How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

Erik Osterman avatar
Erik Osterman

thanks @mumoshu - updated issue with a better example

How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

2020-03-11

Meb avatar

regarding: https://github.com/cloudposse/bastion I see that if you add slack notification, webhook token will be in env vars…

cloudposse/bastion

Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support - cloudposse/bastion

Meb avatar

wouldn’t that be safer to login using another user than root? to hide it?

Meb avatar

even if it’s an alpine docker with minimal commands

Erik Osterman avatar
Erik Osterman

it’s just tricker to orchestrate and in the end, all the webhook can do is post messages. Of course, that can be used for phishing and other things, but don’t see any way an unprivileged user couldn’t game it.

Erik Osterman avatar
Erik Osterman

oh, and the idea with bastion is to mount a passwd file so users aren’t root.

Meb avatar

yep agree but they are bound to root on bastion. instead of user without sudo

Erik Osterman avatar
Erik Osterman


they are bound

Erik Osterman avatar
Erik Osterman

what does they refer to?

Meb avatar

users logged in.

Erik Osterman avatar
Erik Osterman

no, sshd should be handling that like any other system

Erik Osterman avatar
Erik Osterman

sshd runs as root so it can drop perms to the user logging in

Erik Osterman avatar
Erik Osterman

yes, the container itself runs as root

Erik Osterman avatar
Erik Osterman

but that’s the only way sshd can have the right permissions to change uid

Erik Osterman avatar
Erik Osterman

if we had the container run as nobody for example, then sshd could not change uid to something like UID 1001

:--1:1
Meb avatar

by the way noticed the make is not working. Strange the make build:latest will fail in the project. Did I miss something?

Meb avatar

I grabbed instead the latest build

Erik Osterman avatar
Erik Osterman

I think just run “make build”

1

2020-03-10

Maciek Strömich avatar
Maciek Strömich
<https://mobile.twitter.com/qwertyoruiopz/status/1237400079465689088?s=21 https://mobile.twitter.com/qwertyoruiopz/status/1237400079465689088?s=21>
attachment image
checkra1n for T2 - thanks to [@h0m3us3r> [@MCMrARM> <https://twitter.com/Aunali1 @Aunali1](https://twitter.com/MCMrARM) and rickmart for their T2 work <https://pbs.twimg.com/media/ESwd-g-XkAIdmZj.jpg](https://twitter.com/h0m3us3r)

2020-03-08

btai avatar

Has anyone used gatekeeper without keycloak? Works ok? Thinking about integrating it with one login

Erik Osterman avatar
Erik Osterman

Haven’t tried but curious what you figure out

Erik Osterman avatar
Erik Osterman

2020-03-05

2020-03-04

2020-03-03

btai avatar
Revoking certain certificates on March 4

Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, ple…

:--1:1
Erik Osterman avatar
Erik Osterman

good looking out!

Revoking certain certificates on March 4

Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, ple…

Alex Siegman avatar
Alex Siegman

To help folks out, here’s how I forced cert-manager to renew my certs in place with no downtime.

kubectl get certificates
kubectl edit certificate <name>

\# add the following k:v pair to the YAML

\# spec:

\#   renewBefore: 2040h
kubectl get events # watch for it to renew and be done
kubectl get certificate <name> -o yaml

\# check transition date and expiry date, should be 90 days out
kubectl edit certificate <name>

\# revert changes to spec.renewBefore
:--1:1
Erik Osterman avatar
Erik Osterman

@Adam Blackwell

Erik Osterman avatar
Erik Osterman
jetstack/letsencrypt-caa-bug-checker

Tool to check your Kubernetes cluster for certificates affected by Let’s Encrypt’s CAA rechecking bug - jetstack/letsencrypt-caa-bug-checker

Erik Osterman avatar
Erik Osterman
IMPORTANT: Handling the Let's Encrypt CAA rechecking bug revocation · Issue #2651 · jetstack/cert-manager

In order to help users to handle the recent announcement that Let&#39;s Encrypt will be revoking a number of certificates due to a bug in the way they validate CAA records, we have created a tool t…

Alex Siegman avatar
Alex Siegman

bah, i’m still on 0.9, bug checker tool doesn’t work for me >.<

Adam Blackwell avatar
Adam Blackwell
12:00:56 AM

@Adam Blackwell has joined the channel

    keyboard_arrow_up