This video demonstrates how to configure Pod Security Policies in Kubernetes. To me, this has the difficulty level at 8/10.
It covers the admission controller, and how important on the service account. Then it talks about policies and RBAC.
The written instruction is available at https://octetz.com/docs/2018/2018-12-07-psp/
Although this is a 4 years old webinar, I found it is still worth for today. The goals of this webinar is to raise the awareness risk in K8s and demonstrate the 'live' hacking and attacking a K8s. It also provides some hardening methods and tips.
The webinar introduces a number of tools for securing K8s and a lot of hardening tips for your K8s cluster.
KubeATF - A tool used to automate the creation, validation, and destruction of K8s in a consistent way.
Bulkhead - A plugin that perform security posture scans on all nodes from within your K8s.
Links:
Kubernetes Security Best Practices by Ian Lewis, Google
Containers give developers the ability to isolate applications from one another, but that’s not enough. Resource isolation is much different that security isolation. How do we make applications deployed in containers more secure? What tools can be we apply to our containers running in Kubernetes to make them more secure? How can we apply policy to our network and services to make sure applications only have access to what they need and nothing more?
In this talk, attendees will learn about the risks and attack surfaces of a Kubernetes cluster. s-We'll look at tools like PodSecurityPolicy, SELinux, AppArmor, seccomp, and sandboxed containers in action to improve the security of containers. We’ll then go up the stack and learn how to apply network policy to containers to further improve security.
Agenda:
Note:
Links:
Most modern desktop and laptop comes with Windows 8 or 10 keys embedded in BIOS. With Windows being installed as VM, someone can find and retrieve Windows 10/11 key using Linux host OS. The key helps to activate the Windows version without any input from users.
$ sudo cat /sys/firmware/acpi/tables/MSDM | tail -1
If oyu are running Windows OS, you can also retrieve the product with wmic:
c:\> wmic path softwarelicensingservice get OA3xOriginalProductKey
OA3xOriginalProductKey
XXXXX-42F7Y-XXXXX-YRMYC-XXXXX
There is a excellent article about setting up transparent proxy to control web traffic using Squid and Cisco router. Here's my summary note.
Step 1: Install Squid Cache
Step 2: Prepare Squid Cache
$ sudo vi /etc/sysctl.conf
# To make sure the OS will never drop the packet because of wrong dest IP addr.
net.ipv4.ip_forward = 1 #set to 1 for enable the packet forwarding feature
# To make sure the OS will accept packets that not accessible or the dest IP addr in the same subnet
net.ipv4.conf.default.rp_filter = 0 # set to 0 for disable the reverse path filter behavior
$
Step 3: Create GRE interface
$ vi /etc/sysconfig/network-script/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=10.0.0.2 #unused ip address in your network
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
$ sudo service network restart
$
Step 4: Configuring Squid Cache
$ vi /etc/squid/squid.conf
http_port 3128 intercept # Define SQUID listening port
wccp2_router 192.168.1.254 #ip address of the router
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
$ service squid restart
$ sudo iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Step 5: Cisco router configuration
Enable WCCP at Cisco router
R1(config)# ip wccp version 2
Then we must use an ACL for introducing SQUID cache machine to router
R1(config)# ip access-list standard SQUID-MACHINE
R1(config-std-nacl)# permit host 192.168.1.10
Define ACL to except squid-cache from WCCP tunnel. Then forward web traffic to squid-cache via WCCP tunnel.
R1(config)#ip access-list LAN-TRAFFICS
R1(config-ext-nacl)#deny ip host 192.168.1.10 any #Prevent SQUID to get in loop
R1(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any equal www #define LAN Traffics
Next, create ACL with WCCP:
R1(config)# ip wccp web-cache redirect-list LAN-TRAFFIC group-list SQUID-MACHINE
Last, specific the interface for web traffic re-direction:
R1(config)#interface fastEthernet 0/0
R1((config-if)# ip wccp web-cache redirect in
Link:
This is an easy to follow webinar fro David Hazar that talks about the top-5 failures and best practices in vulnerability management.
Top Five Failures in Vulnerability Management:
Notes:
Best Practices:
Heard of SQL-injection (SQLi)? Do you know we can do script injection, similar to SQLi? Here is how to protect the shell script from injection attack.
First, check out what is SheBang if you haven't heard of it.
Second, sometime you will notice some SheBang will end with - or --.
#!/bin/bash -
#!/bin/bash --
The purpose of the single-dash is to protect it from script injection. IT simply mens the end of the options and disable any further option processing. Any argument after the -- is treated as filenames and arguments
This can protect the script from setuid based root spoofing and avoid interpreter spoofing, and eventually improve script security.
* Many OS ignore the setuid attribute when it detects shebang in an executable shell scripts.
Links:
To make a portable SheBang across different UNIX OS, we can use /usr/bin/env command as shebang. For example:
#!/usr/bin/env bash
#!/usr/bin/env perl
#!/usr/bin/env python
The advantage is, it will use whatever interpreter executable appears first in the running user’s $PATH variable.
To locate a full or exact path, like env, we can use 3 commands:
$ type env
$ command -V env
$ which env
Links:
Shebang starts with #! characters and the path to the bash or other interpreter of your choice. Let us see what is Shebang in Linux and Unix bash shell scripts.
The #! syntax is used in scripts to indicate an interpreter for script execution. The directive must be the first line of script and must start with shebang #!. You can add argument after the shebang characters, which is optional. Make sure the interpreter is the full path to a binary file.
For example:
#!/bin/bash
#!/bin/bash -x
#!/usr/bin/env python
To ignore SheBang, just override the SheBang at the command line.
$ python2 hello_world.py
Links:
