#security (2020-03)

Archive: https://archive.sweetops.com/security/

2020-03-27

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Adding @ bot

discourse_forum avatar
discourse_forum
10:06:35 PM

@ has joined the channel

2020-03-23

Maciek Strömich avatar
Maciek Strömich
CS253 - Web Security

Principles of web security. The fundamentals and state-of-the-art in web security. Attacks and countermeasures. Topics include: the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code. Course projects include writing security exploits, defending insecure web apps, and implementing emerging web standards.

2020-03-16

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

mumoshu avatar
mumoshu
07:45:56 PM

@mumoshu has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy Grodberg on our team is also curious if we can do this?

mumoshu avatar
mumoshu

@Erik Osterman (Cloud Posse) It isn’t possible today but seems easy to add support for. Could you expand more on your use-case(s) though?

https://github.com/mumoshu/aws-secret-operator/issues/22#issuecomment-599817070

How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks @mumoshu - updated issue with a better example

How to add multiple secrets · Issue #22 · mumoshu/aws-secret-operator

I have a secret called apiVersion: mumoshu.github.io/v1alpha1 kind: AWSSecret metadata: name: db-secrets namespace: authentication spec: stringDataFrom: secretsManagerSecretRef: secretId: mysecret …

2020-03-11

Meb avatar

regarding: https://github.com/cloudposse/bastion I see that if you add slack notification, webhook token will be in env vars…

cloudposse/bastion

Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support - cloudposse/bastion

Meb avatar

wouldn’t that be safer to login using another user than root? to hide it?

Meb avatar

even if it’s an alpine docker with minimal commands

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s just tricker to orchestrate and in the end, all the webhook can do is post messages. Of course, that can be used for phishing and other things, but don’t see any way an unprivileged user couldn’t game it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, and the idea with bastion is to mount a passwd file so users aren’t root.

Meb avatar

yep agree but they are bound to root on bastion. instead of user without sudo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


they are bound

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what does they refer to?

Meb avatar

users logged in.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

no, sshd should be handling that like any other system

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sshd runs as root so it can drop perms to the user logging in

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, the container itself runs as root

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but that’s the only way sshd can have the right permissions to change uid

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

if we had the container run as nobody for example, then sshd could not change uid to something like UID 1001

:--1:1
Meb avatar

by the way noticed the make is not working. Strange the make build:latest will fail in the project. Did I miss something?

Meb avatar

I grabbed instead the latest build

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think just run “make build”

1

2020-03-10

Maciek Strömich avatar
Maciek Strömich
<https://mobile.twitter.com/qwertyoruiopz/status/1237400079465689088?s=21 https://mobile.twitter.com/qwertyoruiopz/status/1237400079465689088?s=21>
attachment image
checkra1n for T2 - thanks to [@h0m3us3r> [@MCMrARM> <https://twitter.com/Aunali1 @Aunali1](https://twitter.com/MCMrARM) and rickmart for their T2 work <https://pbs.twimg.com/media/ESwd-g-XkAIdmZj.jpg](https://twitter.com/h0m3us3r)

2020-03-08

btai avatar

Has anyone used gatekeeper without keycloak? Works ok? Thinking about integrating it with one login

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Haven’t tried but curious what you figure out

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2020-03-05

2020-03-04

2020-03-03

btai avatar
Revoking certain certificates on March 4

Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, ple…

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

good looking out!

Revoking certain certificates on March 4

Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this thread, and search the community forum, for an answer to your question. If you don’t find one, ple…

Alex Siegman avatar
Alex Siegman

To help folks out, here’s how I forced cert-manager to renew my certs in place with no downtime.

kubectl get certificates
kubectl edit certificate <name>

\# add the following k:v pair to the YAML

\# spec:

\#   renewBefore: 2040h
kubectl get events # watch for it to renew and be done
kubectl get certificate <name> -o yaml

\# check transition date and expiry date, should be 90 days out
kubectl edit certificate <name>

\# revert changes to spec.renewBefore
:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Adam Blackwell

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
jetstack/letsencrypt-caa-bug-checker

Tool to check your Kubernetes cluster for certificates affected by Let’s Encrypt’s CAA rechecking bug - jetstack/letsencrypt-caa-bug-checker

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
IMPORTANT: Handling the Let's Encrypt CAA rechecking bug revocation · Issue #2651 · jetstack/cert-manager

In order to help users to handle the recent announcement that Let&#39;s Encrypt will be revoking a number of certificates due to a bug in the way they validate CAA records, we have created a tool t…

Alex Siegman avatar
Alex Siegman

bah, i’m still on 0.9, bug checker tool doesn’t work for me >.<

Adam Blackwell avatar
Adam Blackwell
12:00:56 AM

@Adam Blackwell has joined the channel

    keyboard_arrow_up