jwieringa

#!/bin/bash

echo 'at=lxd-config msg="Init LXD"'
cat <<EOF | sudo lxd init --preseed
config:
  core.https_address: '[::]:8443'
  core.trust_password: password
networks:
- config:
    ipv4.address: auto

jwieringa

default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam'
default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes'
default['sshd']['sshd_config']['PasswordAuthentication'] = 'no'

jwieringa

Freezer cgroup FTW

In a terminal start a server.

$ python -m SimpleHTTPServer 8000

In another terminal set up the cgroups freezer.

jwieringa

#!/bin/bash

plan () {
  terraform plan \
    -out=plan.output \
    -target=module.useast1.aws_eip.nateip[3]
}

apply () {
  terraform apply plan.output

jwieringa

Currently, there is an explosion of tools that aim to manage secrets for automated, cloud native infrastructure management. Daniel Somerfield did some work classifying the various approaches, but (as far as I know) no one has made a recent effort to summarize the various tools.

This is an attempt to give a quick overview of what can be found out there. The list is alphabetical. There will be tools that are missing, and some of the facts might be wrong--I welcome your corrections. For the purpose, I can be reached via @maxvt on Twitter, or just leave me a comment here.

There is a companion feature matrix of various tools. Comments are welcome in the same manner.

jwieringa

# JDK version: Find the pacakge version with:
# $ yum --showduplicates list java-1.8.0-openjdk | expand
#   Loaded plugins: priorities, update-motd, upgrade-helper
#   Available Packages
#   java-1.8.0-openjdk.x86_64        1:1.8.0.71-2.b15.8.amzn1           amzn-main
#   java-1.8.0-openjdk.x86_64        1:1.8.0.77-0.b03.9.amzn1           amzn-updates
#   java-1.8.0-openjdk.x86_64        1:1.8.0.91-0.b14.10.amzn1          amzn-updates
#   java-1.8.0-openjdk.x86_64        1:1.8.0.101-3.b13.24.amzn1         amzn-updates
#
# Example install: yum install <pacakge>-<version_info>.<architecture_info>

jwieringa

package main

import (
	"fmt"
	"io"
	"os"
)

var path = "/Users/novalagung/Documents/temp/test.txt"

jwieringa

AWS Inspector Support in a Containerized environment

Summary

• If behavioral analysis is required, then the kernel module is required
• The inspector agent cannot be compiled for container linux because the source code is not open
• The inspector agent is dynamically linked and therefore must be run on a supported filesystem/OS
• Therefore, the inspector agent must be run inside of a container
• Once the inspector agent in the container needs to have the correct mounts and capabilites to scan the host systems

jwieringa

{
  "ignition": { "version": "2.0.0" },
  "systemd": {
    "units": [
      {
        "name": "auto-update-kmods.service",
        "enable": true,
        "contents": "[Unit]\nDescription=Install custom kernel modules\nAfter=lib-modules.mount network-online.target\nRequires=lib-modules.mount network-online.target\nConditionPathExists=!/opt/modules/%v\nConditionPathExistsGlob=/lib/modules/auto-update-kmods.d/*.sh\n\n[Service]\nType=oneshot\nExecStart=/bin/bash -ex /lib/modules/auto-update-kmods.sh\n\n[Install]\nWantedBy=multi-user.target\n"
      },
      {

jwieringa

#!/bin/bash

#By installing the Amazon Inspector Agent, you agree that your use is 
# subject to the terms of your existing AWS Customer Agreement or other 
# agreement with Amazon Web Services, Inc. or its affiliates governing your 
# use of AWS services. You may not install and use the 
# Amazon Inspector Agent unless you have an account in good standing with AWS.

# Copyright 2016 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
# Licensed under the terms of your existing AWS Customer Agreement