You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| embed-server --server-config=standalone.xml --std-out=echo | |
| /subsystem=logging/json-formatter=JSON/:add | |
| /subsystem=logging/console-handler=CONSOLE/:write-attribute(name=named-formatter,value=JSON) | |
| stop-embedded-server |
Information in this Gist originally from this github issue, which is outdated.
As @RomanMinkin mentioned, you can also consider Casbin (https://github.com/casbin/casbin). It is the most starred authorization library in Golang. There are several differences between Casbin and OPA.
| Feature | Casbin | OPA |
|---|---|---|
| Library or service? | Library/Service | Library/Service |
| How to write policy? | Two parts: model and policy. Model is general authorization logic. Policy is concrete policy rule. | A single part: Rego |
| RBAC hierarchy | Casbin supports role hierarchy (a role can have a sub-role) | Role hierarchies can be encoded in data. Also with the new graph.reachable() built-in function queries over those hierarchies are much more feasible now. |
| RBAC separation of duties | Not supported | Supported: two roles cannot be assigned together |
Keycloak 10.0.1 is based on Wildfly 19 which comes with support for OpenTracing. However the OpenTracing support in Keycloak is not active by default. This small example demonstrates how to enable OpenTracing in the latest Keycloak version based on the article Micro_Profile_OpenTracing_Comes_To_WildFly
This example tries to explore a solution for KEYCLOAK-8288.
A lot of people land when trying to find out how to calculate CPU usage metric correctly in prometheus, myself included! So I'll post what I eventually ended up using as I think it's still a little difficult trying to tie together all the snippets of info here and elsewhere.
This is specific to k8s and containers that have CPU limits set.
To show CPU usage as a percentage of the limit given to the container, this is the Prometheus query we used to create nice graphs in Grafana:
sum(rate(container_cpu_usage_seconds_total{name!~".*prometheus.*", image!="", container_name!="POD"}[5m])) by (pod_name, container_name) /
| #!/usr/bin/env python3 | |
| """This is a sample Python 3 app that hosts an OIDC app with Flask to | |
| authenticate against Okta and run example calls against the new Okta OAuth-scoped APIs. | |
| This example can also be used to host authentication for an OIDC webapp that does not use | |
| the OAuth API scopes. | |
| This was created with an MVP in mind as an example to demonstrate the ease of interacting | |
| with Okta's Authroization Code flow and should not be used in production without | |
| additions to error/state-handling and strong scrutiny.""" | |
| # use https://github.com/lambci/docker-lambda to simulate a lambda environment | |
| docker run -it --rm --entrypoint bash -e ODBCINI=/opt/odbc.ini -e ODBCSYSINI=/opt/ lambci/lambda:build-python3.7 | |
| # download and install unixODBC | |
| # http://www.unixodbc.org/download.html | |
| curl ftp://ftp.unixodbc.org/pub/unixODBC/unixODBC-2.3.7.tar.gz -O | |
| tar xzvf unixODBC-2.3.7.tar.gz | |
| cd unixODBC-2.3.7 | |
| ./configure --sysconfdir=/opt --disable-gui --disable-drivers --enable-iconv --with-iconv-char-enc=UTF8 --with-iconv-ucode-enc=UTF16LE --prefix=/opt |
| a4b.amazonaws.com | |
| access-analyzer.amazonaws.com | |
| account.amazonaws.com | |
| acm-pca.amazonaws.com | |
| acm.amazonaws.com | |
| airflow-env.amazonaws.com | |
| airflow.amazonaws.com | |
| alexa-appkit.amazon.com | |
| alexa-connectedhome.amazon.com | |
| amazonmq.amazonaws.com |
Just documenting docs, articles, and discussion related to gRPC and load balancing.
https://github.com/grpc/grpc/blob/master/doc/load-balancing.md
Seems gRPC prefers thin client-side load balancing where a client gets a list of connected clients and a load balancing policy from a "load balancer" and then performs client-side load balancing based on the information. However, this could be useful for traditional load banaling approaches in clound deployments.
https://groups.google.com/forum/#!topic/grpc-io/8s7UHY_Q1po
gRPC "works" in AWS. That is, you can run gRPC services on EC2 nodes and have them connect to other nodes, and everything is fine. If you are using AWS for easy access to hardware then all is fine. What doesn't work is ELB (aka CLB), and ALBs. Neither of these support HTTP/2 (h2c) in a way that gRPC needs.
| from io import BytesIO | |
| import gzip | |
| import shutil | |
| def upload_gzipped(bucket, key, fp, compressed_fp=None, content_type='text/plain'): | |
| """Compress and upload the contents from fp to S3. | |
| If compressed_fp is None, the compression is performed in memory. | |
| """ |
