Skip to content

Instantly share code, notes, and snippets.

Dustin Collins dustinmm80

Block or report user

Report or block dustinmm80

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@dustinmm80
dustinmm80 / secretless.md
Created Sep 21, 2018
dynamic secrets are a bandaid. get rid of the secrets altogether
View secretless.md

do our applications really need to have access to secrets, exposing them as yet another threat vector for credential theft and loss?

i'm an engineer on the cyberark/conjur team. we'd love feedback on our new project, secretless. it is free (as in free, not as in beer) OSS and we think it will help solve some of your thornier security problems. this is not just another secrets vault.

View keybase.md

Keybase proof

I hereby claim:

  • I am dustinmm80 on github.
  • I am dustinmm80 (https://keybase.io/dustinmm80) on keybase.
  • I have a public key ASAi3XCVnnkJYZ7RyeOAbWUC_OJXWoNiec87GFJ6EC4Q5Qo

To claim this, I am signing this object:

@dustinmm80
dustinmm80 / machine_identity.sh
Created Mar 8, 2016
Applying Conjur machine identity with CloudFormation interpolation
View machine_identity.sh
host_token={{ref('HostFactoryToken')}}
node_name={{ref('NodeName')}}
host_id=$node_name-$(curl http://169.254.169.254/latest/meta-data/instance-id)
host_identity=/var/conjur/host-identity.json
CONJUR_HOST_IDENTITY_VERSION=v1.0.1
CONJUR_SSH_VERSION=v1.2.5
export HOME=/root
@dustinmm80
dustinmm80 / swarm.sh
Created Mar 8, 2016
Connecting Jenkins executor to master with Jenkins Swarm plugin
View swarm.sh
echo "Connecting with Jenkins Swarm plugin"
sudo -H -u jenkins bash -c '
curl -kL -o $HOME/swarm-client.jar \
http://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/2.0/swarm-client-2.0-jar-with-dependencies.jar
'
sudo -H -u jenkins bash -c "
java -jar \$HOME/swarm-client.jar \
-fsroot /var/lib/jenkins \
-executors 6 \
@dustinmm80
dustinmm80 / core-patch-4.5.1.patch
Last active Jan 18, 2016
Patch for core on Conjur 4.5.1 to remove variable values from logs
View core-patch-4.5.1.patch
diff --git a/config/application.rb b/config/application.rb
index 8682244..d233004 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -13,10 +13,11 @@ module ConjurCore
class Application < Rails::Application
config.eager_load_paths << "#{config.root}/app/models/secret_store.rb"
config.encoding = "utf-8"
- config.filter_parameters += [:password]
+ config.filter_parameters += [:password, :value]
@dustinmm80
dustinmm80 / infoq_abstract.md
Created Dec 14, 2015
Abstract for InfoQ security blog post
View infoq_abstract.md

Securing the Modern Development Lifecycle

Abstract

Information security practice has evolved to be pretty good at granting and managing access to confidential information - by people. But automation is taking over. Applications, servers, even networks are not configured and deployed by hand anymore. This is great; our systems and delivery pipelines are becoming faster and more robust. Automation, however, requires a shift in how we think about securing our infrastructure and the applications that run on it. When delegating our authority to non-human actors, we want to make sure they can only do what we ask. Modern infrastructure is made of cattle, not pets. A VM or container may be running less than the time it takes to record their existence by hand. In this article, I will cover a few common steps in the modern development lifecycle and share best practices for securing them.

Outline

  1. Development - Keep secrets out of source, off filesystem. Make it easy for people to get what they need and au
@dustinmm80
dustinmm80 / cli-4.28.0.md
Created Oct 28, 2015
Conjur CLI v4.28.0 release notes
View cli-4.28.0.md

We have just released Conjur CLI v4.28.0!

The big change is that you can now retire policies. Read more about policies here.

These bugs were also fixed:

  • Fix --as-group and --as-role options for conjur policy load. Either can now be used to specify ownership of the policy.
  • Fix --follow option for conjur audit.

We have also removed support for per-project .conjurrc files.

@dustinmm80
dustinmm80 / jenkins-build-pipeline.css
Created Sep 29, 2015
Custom CSS for Conjur Jenkins build pipeline page
View jenkins-build-pipeline.css
#side-panel {
width: 0;
}
#main-panel {
margin: 0;
}
@dustinmm80
dustinmm80 / authn-ldap-readme.md
Last active Sep 4, 2015
User docs for Conjur authn-ldap connector
View authn-ldap-readme.md

Conjur Authn-LDAP

Download v0.2.0

A Conjur authenticator which calls out to an external LDAP service to bind.

Configuration with environment variables

Slosilo key setup

@dustinmm80
dustinmm80 / variable_group_example_policy.rb
Last active Aug 29, 2015
Example of grouping variables in a Conjur policy
View variable_group_example_policy.rb
# List of created variables
dev_variables = [...]
# Creating a role of type 'variable_group' with name 'dev-variables'
dev_variables_group = role 'variable_group', 'dev-variables'
# Allow that role to execute the variables
dev_variables.each do |v|
v.permit 'execute', dev_variables_group
end
You can’t perform that action at this time.