Articles

You are here: Home » Articles

Puppet Enterprise DB API and Structured Facts

Posted by  | Categories: AWS, Devops, Puppet, Virtualization

 

For a recent project I was challenged with the need to prove an AWS EC2 instance was a puppet server without access to the instance. Thankfully Puppet Enterprise DB API has exactly what I needed. However I found the examples in the documentation online where not good enough for my needs. more

HOWTO: AWS AMI Creation with Puppet

Posted by  | Categories: AWS, Devops, Operating Systems, Puppet, Virtualization

Here is a short HOWTO which results in a custom Amazon AWS EC2 AMI image with the Puppet Enterprise agent installed and setup to connect to the Puppet master server. This method uses a 3rd party tool called Packer.io which greatly simplifies and automates the AMI build process in a scriptable and pragmatic way. This is a very easy way to build hypervisor OS template images with the Puppet agent pre-installed for AWS, Docker, Google Cloud, OpenStack, Parallels, QEMU, Virtualbox, or VMWare.  more

Automation Speeds Builds & Deployment, Enforces Compliance for PhoenixNAP | Puppet Labs

Posted by  | Categories: News & Events, Operating Systems, Puppet, Virtualization

gears1

Here is an interview I did with Puppet Labs on my automation work with PhoenixNAP. With a combination of VMware, Puppet Enterprise, and a Git repo based WarDeployer system I wrote releases transformed from a heartache performance into a pull request. Roll backs are just as elegant.

[Link to video]

Automation Speeds Builds & Deployment, Enforces Compliance for PhoenixNAP with Bryan Andrews | Puppet Labs.

Puppet Module - EC2TagFacts

Posted by  | Categories: Operating Systems, Puppet, Virtualization

I’ve written and published a Puppet module to load AWS EC2 tags into puppet as facts. So now when you tag your EC2 instance the tag can be a tag usable by Puppet. AWS cli tools are automatically installed and setup. you just have to provide your key and secret with read access to the tags. An example policy is provided.  more

TCNative package HOWTO

Posted by  | Categories: Operating Systems, Security

HOWTO build and package the Apache Tomcat Native binaries for your CentOS system.

Download: git clone git@github.com:BIAndrews/tcnative-packager.git

Build steps and example:

$ ./tcnative-packager.sh 
Ensuring CentOS dependant packages...
  - You are not root, so make sure all your dependancies are already installed like apr-devel openssl-devel apr apr-util apr-util-devel openssl wget, an OpenJDK, and fpm via gem
Detected fpm installed
OpenJDK detected. Version:
openjdk version "1.8.0_45"
OpenJDK Runtime Environment (build 1.8.0_45-b13)
OpenJDK 64-Bit Server VM (build 25.45-b02, mixed mode)
Using JDK found at /usr/lib/jvm/java-openjdk
Creating /home/example/tcnative-packager/src-26944/usr to install and package from
Running configure...
Compiling...
Installing into "/home/example/tcnative-packager/src-26944/usr"...
Setting workdir {:workdir=>"/tmp", :level=>:info}
Setting from flags: architecture=x86_64 {:level=>:info}
Setting from flags: description=The mission of the Tomcat Native Library (TCN) is to provide a free library of C data structures and routines.  This library contains additional utility interfaces for Java. {:level=>:info}
Setting from flags: epoch= {:level=>:info}
Setting from flags: iteration=0 {:level=>:info}
Setting from flags: license=Apache Software License {:level=>:info}
Setting from flags: maintainer=you@example.com {:level=>:info}
Setting from flags: name=tcnative {:level=>:info}
Setting from flags: url=http://tomcat.apache.org/download-native.cgi {:level=>:info}
Setting from flags: version=1.1.33 {:level=>:info}
Setting from flags: architecture=x86_64 {:level=>:info}
Converting dir to rpm {:level=>:info}
no value for epoch is set, defaulting to nil {:level=>:warn}
Reading template {:path=>"/usr/local/rvm/gems/ruby-2.2.0/gems/fpm-1.3.3/templates/rpm.erb", :level=>:info}
no value for epoch is set, defaulting to nil {:level=>:warn}
Running rpmbuild {:args=>["rpmbuild", "-bb", "--define", "buildroot /tmp/package-rpm-build20150615-27597-r98ysc/BUILD", "--define", "_topdir /tmp/package-rpm-build20150615-27597-r98ysc", "--define", "_sourcedir /tmp/package-rpm-build20150615-27597-r98ysc", "--define", "_rpmdir /tmp/package-rpm-build20150615-27597-r98ysc/RPMS", "--define", "_tmppath /tmp", "/tmp/package-rpm-build20150615-27597-r98ysc/SPECS/tcnative.spec"], :level=>:info}
Executing(%prep): /bin/sh -e /tmp/rpm-tmp.AnyiY3 {:level=>:info}
Executing(%build): /bin/sh -e /tmp/rpm-tmp.FK6xnN {:level=>:info}
Executing(%install): /bin/sh -e /tmp/rpm-tmp.Vso6Mw {:level=>:info}
Processing files: tcnative-1.1.33-0.x86_64 {:level=>:info}
Wrote: /tmp/package-rpm-build20150615-27597-r98ysc/RPMS/x86_64/tcnative-1.1.33-0.x86_64.rpm {:level=>:info}
Executing(%clean): /bin/sh -e /tmp/rpm-tmp.npuzT2 {:level=>:info}
Created package {:path=>"../tcnative-1.1.33-0.x86_64.rpm"}
Done!
Cleaning up /home/io/tcnative-packager/src-26944/usr...
########################################################

Name        : tcnative                     Relocations: / 
Version     : 1.1.33                            Vendor: io@example.com
Release     : 0                             Build Date: Mon 15 Jun 2015 09:23:19 AM MST
Install Date: (not installed)               Build Host: me.example.com
Group       : default                       Source RPM: tcnative-1.1.33-0.src.rpm
Size        : 2567110                          License: Apache Software License
Signature   : (none)
Packager    : you@example.com
URL         : http://tomcat.apache.org/download-native.cgi
Summary     : The mission of the Tomcat Native Library (TCN) is to provide a free library of C data structures and routines.  This library contains additional utility interfaces for Java.
Description :
The mission of the Tomcat Native Library (TCN) is to provide a free library of C data structures and routines.  This library contains additional utility interfaces for Java.
/usr/lib64/libtcnative-1.a
/usr/lib64/libtcnative-1.la
/usr/lib64/libtcnative-1.so
/usr/lib64/libtcnative-1.so.0
/usr/lib64/libtcnative-1.so.0.1.33
/usr/lib64/pkgconfig/tcnative-1.pc

IPViking Live

Posted by  | Categories: Security

Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).

Hovering over the ATTACK ORIGINS, ATTACK TARGETS, or ATTACK TYPES will highlight just the attacks emanating from that country or over that service-port respectively. Hovering over any bubble on the map, will highlight only the attacks from that location and type. Press S to toggle table sizes.

Norse exposes its threat intelligence via high-performance, machine-readable APIs in a variety of forms. Norse also provides products and solutions that assist organizations in protecting and mitigating cyber attacks.

This is really neat! I’m thinking about using this idea on the SSHfail2KML project.

Link: Norse – IPViking Live.

DDR3 RAM has Hit its Lowest Price Point in 26 Months

Posted by  | Categories: Hardware, News & Events

DDR3 has reached its lowest price point in 26 months, according to PCGamer. This information stems from a report published by the DRAMeXchange. The prices of RAM have been decreasing as PCs and tablets have grown in popularity. Over the second quarter of this year, prices have fallen about 9 percent. The full price of a 4GB DDR3 SO-DIMM is around $27.50.

DDR3 RAM has Hit its Lowest Price Point in 26 Months | Digital Trends |.

 

GRSec Full Automation

Posted by  | Categories: Operating Systems, Security, Virtualization, VMWare

 

GRSecurity is a set of patches for the Linux kernel which emphasizes security enhancements. These are 3rd party patches not included in the vanilla Linux kernel. This means if you run an industry standard Linux OS like CentOS or Ubuntu you will need to compile your own package or get it from a 3rd party. This script aims to automate the process and make it easier to implement and administer.

GFA v1.0 is hard coded for 64bit OS’s and only tested on CentOS 6. If there is interest, APT (Debian/Ubuntu) compatible systems could be added.

  • Easy to use
  • Easy to update to latest supported GRSec and kernel versions
  • Documented groups for easier management
  • RPM creation capability for easier implementation and reproducible results
  • Open source
  • All sources from verifiable upstream locations
  • Text based GUI for easy configurability and remote deployment

New Groups you will need to know about:

Group GID 2000 grs-proc This group is for non-root users that need access to the /proc system. Anyone that isn’t root and not in this group will not be able to even see other users processes or who else is logged in.
Group GID 2001 grs-tpe All users in this group are only able to exec files in root owned dirs writable by root, nothing more. Not even ~/bin/
Group GID 2002 grs-sock-all Group to disable all socket access.
Group GID 2003 grs-sock-client Group to disable all client only socket access.
Group GID 2004 grs-sock-sever Group to disable all server only socket access.
Group GID 2005 grs-audit Group to enforce full auditing through syslog. Logs exec, ptrace, mount, sig, and chdir of these users.

 Installation / Implementation:

[root@colo3 src]# ./BryanAndrews.org-GFA.sh 

This script is an automation tool for downloading, patching, and compiling the Linux kernel with GRSec 
security patches. Supplemental GRSec related tools like gradm and paxctl are included. Optional RPM 
packaging and RPM .SPEC creation is done. These RPM and .SPEC files are saved in the current users 
home directory. This is hard coded for 64bit systems only. If you later install the produced kernel 
RPM package you will need to create the groups specified below. These are also adjustable in the 
sysctl settings before the system is locked.
The following groups will be created for you:

Group GID 2000  grs-proc        This group is for non-root users that need access to the /proc system.
Group GID 2001  grs-tpe         All users in this group are only able to exec files in root owned dirs 
writable by root, nothing more.
Group GID 2002  grs-sock-all    Group to disable all socket access.
Group GID 2003  grs-sock-client Group to disable all client only socket access.
Group GID 2004  grs-sock-sever  Group to disable all server only socket access.
Group GID 2005  grs-audit       Group to enforce full auditing through syslog. Logs exec, ptrace, mount, 
sig, and chdir. 

Build root directory: /usr/src
GRSEc version: 3.0
GRSec Release: 201407151835
GRAdmin Release: 201407162022
Linux Kernel version: 3.2.61
PAXctl version: 0.8
Make RPMs?: y
This RPM release number: 7

BUILD ROOT               /usr/src
RPM RELEASE              7
KERNEL Version           3.2.61
GRSEC Version            3.0
GRSEC RELEASE            201407151835
GRADMN RELEASE           201407162022
CPU CORES                8
LOG File                 /usr/src/bryans_grsec-201407172043.log
BOOT PATH                /boot/
PAX URL                  http://pax.grsecurity.net/paxctl-0.8.tar.gz
GRSEC URL                http://grsecurity.net/stable/grsecurity-3.0-3.2.61-201407151835.patch
GRADM URL                http://grsecurity.net/stable/gradm-3.0-201407162022.tar.gz
KERNEL URL               https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.61.tar.xz
KERNEL TARBALL           linux-3.2.61.tar.xz
DESTINATION PACKAGE DIR  /root

This will download, install, and compile the Linux GRSec kernel on this system. If you do not want to do 
this press CTRL+C now to quit.
Press any key to continue... 
Installing prereq tools to build the kernel... OK
Downloading kernel 3.2.61 and GRSec patch 3.0... OK
Creating GRSec kernel configs in grsec_kernel_config.cfg with defaults OK
Using live kernel config to create a compatible new GRSec 3.0 config... OK
Building paxctl RPM... OK
Building gradm RPM... OK
Hacking the kernel repos generated spec file to install the kernel in grub when you install the RPM... OK
Setting the kernel RPM release to 7... OK
Building kernel 3.2.61-grsec RPM using 8 threads... OK
Checking for Kernel SRC RPM... OK
Checking for Kernel RPM... OK
Checking for Kernel headers RPM... OK
---------------------------------------------------------------------------------

RUN COMPLETED SUCCESSFULLY

Created /root/paxctl-0.8-7.x86_64.rpm
Created /root/gradm-3.0-7.x86_64.rpm
Created /root/kernel-3.2.61_grsec-7.src.rpm
Created /root/kernel-3.2.61_grsec-7.x86_64.rpm
Created /root/kernel-headers-3.2.61_grsec-7.x86_64.rpm

---------------------------------------------------------------------------------
[root@colo3 src]#

 

DOWNLOAD LINK

 

Creative Commons License
GRSec Full Automation by Bryan Andrews is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

OnApp v2.3 Review And Quick Start Instructions - Part 1

Posted by  | Categories: Hardware, Operating Systems, Virtualization

In case you haven’t heard about it yet, OnApp is a very fast and relatively inexpensive way for you to create your own public or private cloud.

more