{Digital Safe}

Operating in a Cloud Environment

# ABOUT THE INSTRUCTOR

```
Former Forward Communications
```

Software Engineer

Linux Enthusiast

# AGENDA

1

- Introduction

- Procurement & Attribution

- Basic Setup

- Version Control

- Scripting and Automation

2

- Building Locally

- Containers & Namespaces

- Custom Images

- Recipe Tools

3

- Dynamic Monitoring

- Accessing Remote Services

- Cloud Hardening

- Firewalls

4

- Automated Hardening and Scanning

- Q & A

- Capstone

Training Days

# Our TECH STACK

Fedora (35)

KDE Plasma Shell

Some Extra Applications and Tweaks along the way

# OUR TECH STACK

# TAKING NOTES ONLINE

Taking Notes

www.github.com
Open Source Code Repositories
Create a Repository for "ClassNotes"
Use Markdown in ".md" files

https://obsidian.md

# TAKING NOTES

$ sudo dnf install flatpak
$ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
$ flatpak install flathub md.obsidian.Obsidian

Markdown in 30 Seconds

# TAKING NOTES

# Title

## Sub Title

### etc. etc. etc.

Comments about `commands`

List:
 
- **bold**
- *italics*
- ++underline++
- ~~strikethrough~~
- ==Highlight==

- [ ] Incomplete Checkbox
- [x] Complete Checkbox

Even [hyper-links](www.someurl.com)

```python
# Code Here
def say_hi(name="Kevin"):
  print(f'Hello {name}')
  
say_hi("Tom")
```

{Day 01}

From Zero to ________

{Procurement}

How and Where do we get a "Cloud Environment"

Define Requirements

Resources
POPs
Attribution
Timelines of use

1.

2.

Research Providers

Big names vs small names
Capabilities
Payment Model

3.

Rotate Responsibly

Data exfil costs
Rotating within a provider
Rotating resources

# PROCUREMENT PROCESS

Most providers are trying to prevent crypto mining, scams, and illegal activity

https://prv.to

{Attribution}

Who am I? Who are We?

Assume Compromise
Spiking Interest AKA Being too Sneaky
Historical Backstopping
Should You Use Third Parties?
- Trust but verify

Attribution Pillars

# ATTRIBUTION

Network / Application (Packets, Ports, Protocols, Timestamps)
Logistical
Usage (Timezone, etc.)
Internal State (Language, Configuration, etc.)

# TYPES OF ATTRIBUTION

Consider the Threat Model
- What can they see?
- Where are they looking from?
- What don't I want them to see?
- What do I want them to see?
- Who can they collaborate with?
Consider trade-offs in usability, security, and noise floor

# THREAT MODEL

{Linux}

Catching Up

# What is Linux?

Technically an Open Source kernel
Commonly known as a Open Source Operating System
- An Operating System is a kernel and tools together
- Also referred to as GNU/Linux to credit the tools + the kernel
Created in 1991 by Linus Torvalds based on Unix

Heavily used in servers, embedded, and development environments
Reputation for being advanced or difficult

# Open Source?

Software where the source code used to build the software is open to the public
Usually released under special licenses
- Different licenses have different restrictions
- Licenses have been the topic of holy wars
'Free' as in Speech, sometimes 'Free' as in Beer

# Key Linux Concepts

Everything is a file (including directories)
- Absolute paths start with a leading '/'
- Relative paths start with anything else
'Hidden' files start with a leading '.'
Many configurations and settings are simply text files
Many GUI programs simply 'wrap' command line programs
Commands can be 'linked' (or 'chained') with one another

# LINUX COMPONENTS

CPU

Screen

HDD

RAM

...

Linux Kernel

GNU Core Utilities

System Config

PKG MGMT

User Applications

Desktop Environment

# COMMON DISTROS

Debian Based
- Includes Ubuntu, Mint, Elementary
- DEB Packages
Redhat Based
- Includes CentOS (and Clones), Fedora
- RPM Packages
Other Notable
- Arch Based (Manjaro, Garuda)
- OpenSUSE

# COMMON Desktop Envrionments

Gnome 3

KDE Plasma Shell

Specialized (i3, etc.)

# File System

# Permissions

Three sections of three "types" of permissions
- r = read
- w = write
- x = execute
- - = None
Sections are: Owner, Group, and Other (or World)
A fourth prefix section includes
- - = file
- d = directory
- l = link

$  touch file

$  ls -l file
-rw-rw-r-- 1 student student 0 Jan 16 13:58 file

$  chmod o+x file

$  ls -l file
-rw-rw-r-x 1 student student 0 Jan 16 13:58 file

# Permissions

Commands
- chown
- chmod

{Shell Setup}

Becoming a Nerd

Combining Commands (Pipes)

Commands can be combined by using pipes
Pipes take the output of one command, and make it the input for another command
Pipes use the | character
Purpose is to change or modify the output in some way
This is extremely useful!

$  command1 | command2 | command3

# Pipes

Redirecting

Redirecting is similar to piping, except that either the input, output, or error output can be "sent somewhere else"
Useful for:
- Sending the output of a command to a file
- Using the contents of a file as input to a command
Three Operators
- > Output - Start from the beginning
- < Input
- >> Append

$  echo "Send me to a file" > file.txt

$  echo < file.txt
Send me to a file

# Redirecting

Special Redirecting

All files are accessible via "special numbers" (known as file descriptors)
- stdin = "0"
- stdout = "1"
- stderr = "2"
Useful to send errors to places such as to log errors, or ignore

$  cat some_file.txt 2> err_file.txt
  # Redirect stderr to 'err_file.txt'

$  cat some_file.txt 2>&1
  # Redirect stderr to stdout (stdout still goes to screen)

$  cat some_file.txt 2>&1 > out.txt
  # Redirect stderr to stdout, then stdout to 'out.txt' file

$  cat some_file.txt &> some_file.txt
  # Redirect stderr AND stdout to a file

# Redirecting

Nobody remembers all the commands and options!
Google!
Help Docs exist for most commands
- $ command --help
- $ command -h
Manpages are good if there is no internet
- $ man command

# Finding Help

quickref.me
curl cheat.sh/CMD
tldr CMD

Completions
Suggestions
Themes
Human Readable Scripting
However...

# FISH SHELL

Completions
Corrections
Plugins

Let's do it!

$ sudo dnf install zsh util-linux-user git

$ sudo chsh -s $(which zsh) $USER

# in ~/.zshrc

ENABLE_CORRECTION="true"
COMPLETION_WAITING_DOTS="true"

export PATH=/usr/local/bin:$HOME/.local/bin:$PATH
export SSH_KEY_PATH="~/.ssh/rsa_id"
export TERM="xterm-256color"
fpath+=~/.zfunc
compinit -U

# ZSH SHELL

Oh My ZSH

$ git clone \
  https://github.com/robbyrussell/oh-my-zsh \
  ~/.oh-my-zsh

# in the TOP of ~/.zshrc

export ZSH=$HOME/.oh-my-zsh
ZSH_THEME="robbyrussell"
plugins=()
source $ZSH/oh-my-zsh.sh

List of Plugins

But mind how many plugins you use!

# ZSH PLUGINS

Auto Suggestions

$ git clone \
  https://github.com/zsh-users/zsh-autosuggestions \
  ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions

# in ~/.zshrc

plugins=(
  zsh-autosuggestions
)

# ZSH PLUGINS

Syntax Highlighting

$ git clone \
  https://github.com/zsh-users/zsh-syntax-highlighting.git \
  ~/.oh-my-zsh/custom/plugins/zsh-syntax-highlighting

# in ~/.zshrc

plugins=(
  zsh-autosuggestions 
  zsh-syntax-highlighting
)

# ZSH PLUGINS

Abbrev Alias

$ git clone \
  https://github.com/momo-lab/zsh-abbrev-alias \
  ~/.config/zsh-abbrev-alias/

# in ~/.zshrc

export USE_ABBREV_ALIAS=1
source $HOME/.config/zsh-abbrev-alias/abbrev-alias.plugin.zsh

abbrev-alias gl='git log --graph --all --oneline --decorate'

When to use Regular Aliases?

# ZSH PLUGINS

Built In Plugins

# in ~/.zshrc

plugins=(
  zsh-autosuggestions 
  zsh-syntax-highlighting
  sudo
  dnf
  git
)

Full List of Plugins

# ZSH PLUGINS

Custom Prompts - Starship

$ curl -fsSL https://starship.rs/install.sh | bash

# In ~/.zshrc

# Remove ZSH_THEME...

eval "$(starship init zsh)"

# STARSHIP


╭─kevin@shenron in repo: toast on  main [$] is 📦 v0.45.2 via  v1.60.0-nightly took 28ms
╰─➤

FZF - The Fuzzy Finder

$ git clone --depth 1 https://github.com/junegunn/fzf.git ~/.fzf

$ ~/.fzf/install

# In ~/.zshrc

[ -f ~/.fzf.zsh ] && source ~/.fzf.zsh

Commands

CTRL + r
CTRL + t

# FZF

Navi - Personal Cheat Sheet

$ curl -sL https://raw.githubusercontent.com/denisidoro/navi/master/scripts/install | sh

# In ~/.zshrc

eval "$(navi widget zsh)"

Commands

CTRL + g

# NAVI

Navi Cheats Example

% dnf

# List files included in an RPM
sudo dnf repoquery --installed -l <PKG>

# List files included in an installed RPM
sudo dnf repoquery --installed -l <EXISTING_PKG>

# Disable repository
sudo dnf config-manager --set-disabled <EXISTING_REPO>

# Add repository
sudo dnf config-manager --add-repo <REPOSITORY>

$ EXISTING_REPO: dnf repolist | awk '{print $1}'
$ EXISTING_PKG: rpm -qa | grep -oP '^[^.]*(?=-[0-9])'

# NAVI

{Pre-Scripting}

Advanced Command Line

# SHELL-FU

Variables

We can store information in variables
These variables are like "buckets", we may not know exactly what is in the bucket, but we can refer to the contents at use
Syntax is a dollar sign ($) followed by a word or underscore
- Convention uses UPPER_SNAKE_CASE
Your environment stores many variables

# SHELL-FU

Variable Continued

To see current variables in your environment, use the command 'env'
Some important variables are:
- USER - your current username
- SHELL - Which shell program you are using
- PWD - Your current directory
- EDITOR - Your text editor
- PATH - Where to look for binary executables

# SHELL-FU

Creating and Using Variables

Create a variable using the variable name, followed by an equals sign, followed by the "value"
Then get the "value" out of the variable by using a dollar sign ($) followed by the variable name

$  ANIMAL=cat

$  echo $ANIMAL
cat

{Substitutions and Expansion}

AKA Magic

# EXPANSIONS

Saves typing
Reduce errors
Two types of expansions
- globs
- parameter expansions

$ mv /some/long/path/file.old /some/long/path/file.new

# vs

$ mv /some/long/path/file.{old,new}

# GLOBS

Matches zero or more characters

Matches exactly one character

Matches given characters only

Matches any except given chars

$ ls -l
total 264896
-rw-r--r--  1 kevin kevin 15400455 Jan 17 10:33 09b25a9a5c720.tar.gz
-rw-rw-r--  1 kevin kevin 43487904 Dec  7 13:00 code_1.18.1-1510857349_amd64.deb
-rw-rw-r--  1 kevin kevin 27765264 Dec  7 13:01 encryptr_2.0.0-1_amd64.deb
-rw-rw-r--  1 kevin kevin  1407463 Jan 10 14:14 FEL-r22.pdf
-rw-rw-r--  1 kevin kevin   397750 Jan 10 14:14 FEL.tar.gz
-rw-rw-r--  1 kevin kevin 42004318 Dec  7 13:01 haroopad-v0.13.1-x64.deb
-rw-rw-r--  1 kevin kevin 79941824 Dec  7 13:04 keybase_amd64.deb

$ ls -l *.deb
total 264896
-rw-rw-r--  1 kevin kevin 43487904 Dec  7 13:00 code_1.18.1-1510857349_amd64.deb
-rw-rw-r--  1 kevin kevin 27765264 Dec  7 13:01 encryptr_2.0.0-1_amd64.deb
-rw-rw-r--  1 kevin kevin 42004318 Dec  7 13:01 haroopad-v0.13.1-x64.deb
-rw-rw-r--  1 kevin kevin 79941824 Dec  7 13:04 keybase_amd64.deb

[abc]

In short...wild cards

Special Groups

[[:named:]]

[!abc]

alpha digit alnum

lower upper

punct space

# PARAMETER EXPANSIONS

AKA "curly brace expansion"
Expands to "lists"
Can be combined with globs

$ echo {one,two,three}
one two three

$ ls -l {*.deb,0*}
-rw-r--r-- 1 kevin kevin 15400455 Jan 17 10:33 09b2af7a5c720.tar.gz
-rw-rw-r-- 1 kevin kevin 43487904 Dec  7 13:00 code_1.18.1-1510857349_amd64.deb
-rw-rw-r-- 1 kevin kevin 27765264 Dec  7 13:01 encryptr_2.0.0-1_amd64.deb
-rw-rw-r-- 1 kevin kevin 49035482 Dec 19 15:23 google-chrome-stable_current_amd64.deb
-rw-rw-r-- 1 kevin kevin 42004318 Dec  7 13:01 haroopad-v0.13.1-x64.deb
-rw-rw-r-- 1 kevin kevin 79941824 Dec  7 13:04 keybase_amd64.deb

Supports basic sequences (similar to 'seq' command)

$ echo {A..Z}
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

# COMMAND SUBSTITUTION

Allows using the output of a command as the actual input for another command
- In other words, the output is used inline as if it was directly typed on the command line

$ ls $(echo "-l")
total 264896
-rw-r--r--  1 student student 15400455 Jan 17 10:33 09b2afa5c720.tar.gz
-rw-rw-r--  1 student student 43487904 Dec  7 13:00 code_1.18.1-1510857349_amd64.deb
-rw-rw-r--  1 student student 27765264 Dec  7 13:01 encryptr_2.0.0-1_amd64.deb

$ ls -l
total 264896
-rw-r--r--  1 student student 15400455 Jan 17 10:33 09b2afa5c720.tar.gz
-rw-rw-r--  1 student student 43487904 Dec  7 13:00 code_1.18.1-1510857349_amd64.deb
-rw-rw-r--  1 student student 27765264 Dec  7 13:01 encryptr_2.0.0-1_amd64.deb

Like parameter expansion, but uses a dollar sign ( ) and expands variables

$ ANIMAL=cat

$ echo ${ANIMAL}
cat

$ echo ${ANIMAL}s
cats

$ echo $ANIMALs

# PARAMETER SUBSTITUTION

Supports internal substitution via forward slashes ( )
Supports Default values via

$ ANIMAL=cat

$ echo ${ANIMAL/at/ow}
cow

$ echo ${ANIMALs:-dog}
dog

$ CAT=tabby

$ ANIMAL=CAT

$ echo ${ANIMAL}
CAT

$ echo ${#ANIMAL}
3

$ echo ${!ANIMAL}
tabby

# PARAMETER SUBSTITUTION

Variable Length

Variable Indirection

Other operators available

Using the 'diff' command

$ diff <(ls -l) <(ls -al)    
1c1,3
< total 264896
---
> total 264904
> drwxr-xr-x  3 student student     4096 Jan 17 11:11 .
> drwxr-xr-x 35 student student     4096 Jan 17 12:34 ..

$ diff $(ls -l) $(ls -al)    
diff: invalid option -- '-'
diff: Try 'diff --help' for more information.

Very close to command substitution, but subtly different!
Process substitution uses <(command) whereas command substitution uses $(command)
Allows using the output of a command, but stored in a "temporary file" (/dev/fd/<#>) then that file is passed to the next command

# PROCESS SUBSTITUTION

{Version Control}

Taming the chaos

Version control software that tracks changes to files
Allows you (or multiple people) to contribute to a single project
Allows multiple 'branches' to be worked on at the same time and merged together
git is SUPER complex, we will only scratch the surface

# GIT

Basics

Enable git tracking on a folder (i.e. project)

$ git init

By default you are working on the 'main' branch
By default git tracks all files in the folder (if you add new files later use the command git add <files>)
Work on files as normal
Once you are ready to "save" your code issue the command

$ git commit -a

This "saves" the files and asks you to add a message about what you changed
Use detailed messages!
To add the message inline use 'git commit -am "message"'

# GIT

Branching

Lets say you have a working script, but want to add a new feature or work on a bug, but you don't want to break existing code
You can add a new branch
This in effect copies your project, and allows you work on both the working code and the 'copy' code at the same time
To branch, use

$ git switch my-branch-name

# GIT

Branches (cont.)

You switch back and forth between branches at will

$ git switch awesomefeature

Once you have a working feature, or bug fix you can 'merge' the two branches back into one

$ git switch main

$ git merge awesomefeature

When you have no need for a branch anymore you can delete it

$ git branch -D awesomefeature

# GIT

# GIT

github.com (and alternatives)

Online git repositories
Allows you to save projects and work with others easily
Free service requires public repositories (i.e. projects)
Can be used for more than just scripting/coding

There are self hosted alternatives!

# GIT

# GIT

Cheat Sheet Download Link

{Scripting}

Just do this for me...

# SCRIPTING

Great for lazy people!
Also repetitive tests
At it's most basic form, it's a file containing a list of commands to run

Making a Script

Sh-Bang
Commands

#!/bin/bash

echo "Hello world!"

Save the file to ~/.local/bin/script_01.sh

# SCRIPTING

Running a Script

We can run a script with notation
Alternatively if the script is located in a directory listed in our variable, we can just use the script name

$ ./.local/bin/script_01.sh
zsh: permission denied: ./.local/bin/script_01.sh

# SCRIPTING

$PATH

Making Scripts Executable

If we look at our script, we'll see it's not executable

$ ls -l .local/bin
total 4
-rw-rw-r-- 1 student student 33 Jan 29 10:46 script_01.sh

$ chmod u+x .local/bin/script_01.sh

$ ls -l .local/bin
-rwxrw-r-- 1 student student 33 Jan 29 10:46 script_01.sh

$ ./.local/bin/script_01.sh
Hello world!

# SCRIPTING

Modifying $PATH

./ syntax is fine for one-off scripts, but if this is something we'll want to run many times, it's better to have it inside a director in $PATH

$ export PATH=$PATH:$HOME/.local/bin

$ script_01.sh
Hello world!

We can take this a step further by modifying in our shell startup configuration file

# SCRIPTING

$PATH

Loops

Sometimes we want to do a task repeatedly
We can use a loop to do something a set number of times, or over a set of data
We'll start by using a for loop on the command line
Then move it into a script
The basic syntax is
- for <VAR> in <SET>; do <CMD>; done

$ for NUM in $(seq 1 10); do echo "Hello World! x$NUM"; done
Hello World! x1
Hello World! x2
Hello World! x3
Hello World! x4
Hello World! x5
Hello World! x6
Hello World! x7
Hello World! x8
Hello World! x9
Hello World! x10

# SCRIPTING

for

Loops in Scripts

Although we can do complex things in loops on the command line, it quickly becomes hard to read
If we move the loop to a script, readability improves
The basic syntax becomes

for <VAR> in <SET>;
do
    <CMDS>
done

for NUM in $(seq 1 10);
do
    echo "Hello $NUM times:"
    for _ in $(seq 1 $NUM);
    do
        echo -e "\tHello"
    done
done

We can even nest loops

# SCRIPTING

Making Decisions

So far we can only do a set number of tasks in a script
- It's flexible...but it could be better
Now we'll learn how to do a specific task only in some circumstances, and a different task otherwise
These types of statements are called conditionals
The basic syntax is

if [ <CONDITION> ];
then
    <command if true>
else
    <command if NOT true>
fi

The 'else' could even be omitted if we only want to run a command in some circumstances, but nothing in others

# SCRIPTING

Caveat to Conditionals

'[' vs '[['
[ <condition> ]
- older
- more portable
- supported everywhere
- less flexible
[[ <condition> ]]
- Newer
- not as well supported
- allows for much easier testing
My personal opinion, default to `[[ <condition> ]]` unless you have a reason not to

# SCRIPTING

Failing

Another form of conditionals is boolean logic
Instead of if...else...fi blocks, we can use boolean operators
- - means and (i.e. success)
- - means or (i.e. failure)
The basic syntax is
- <command1> && <command2>
  - Run command1
  - Run command2 only if command1 succeeds
- <command1> || <command2>
  - Run command1
  - Run command2 only if command1 fails
Can be nested with parenthesis
Works great on the command line
Very useful to exit scripts early
- <command that can fail> || (echo "reason" && false)

# SCRIPTING

{Python}

Getting friendly with the snake

What is Python?

A scripting language (specifically an interpreter)
Uses text files (typically ending with ) to perform specific tasks
Each text file is read and executed from top to bottom
- NOT compiled
- ...Buuuuut JIT compiling does happen (.pyc)
Must have interpreter installed to run python scripts

# PYTHON

.py

Why use Python?

Tasks that are: Repeatable, Mundane, Complex, Precise, Time Consuming, etc.
Bridge the end-user technology gap
Rapid prototyping of larger projects
Brevity
Short development time
HUGE repository of libraries and modules (i.e. VERY popular)

# PYTHON

Hello World

# in hello.py
print('Hello World!')

Run via

$ python hello.py
Hello world!

# PYTHON

Variables

Must start with a letter
Typically snake_case_names
Use descriptive names when possible
Cannot be a keyword
Assigned and re-assigned using '='

name = 'something'
age = 29
more_text = a_var

# PYTHON

Types

Dynamic Types
Common Types
- strings
- numbers (int, float, etc.)
- characters
- bools
- lists, dicts, sets, and tuples
- objects
- None

num1 = 2
num2 = 2
both = num1 + num2
print('Adding: ', both)
both = num1 - num2
print('Subtracting: ', both)
both = num1 / num2
print('Dividing: ', both)
both = num1 * num2
print('Multiplying: ', both)
both = num1 % num2
print('Modding: ', both)
text1 = '2'
text2 = '2'
both = text1 + text2
print('String and String: ', both)
fl1 = 2.2
int1 = 2
both = fl1 + int1
print('Float and Int: ', both)
fl2 = 2.2
both = fl1 + fl2
print('Float and Float: ', both)

# PYTHON

Strings

In Python 3.x all strings are a sequence of valid UTF-8 Unicode characters
ASCII vs UTF-8
- 1 byte vs maybe several
- ASCII byte strings in Python 3 (str type, or b'literal')
Hidden characters in strings
- Escape character is \ (i.e. 'string with\'quotes\'')
Common hidden characters
- \n
- \t
- \c\r
Strings are simply lists of characters and can be sliced (more on that later...)

# PYTHON

Lists

An unordered sequence of values
Values do not need to be same type
Formed using the [ and ] characters, separating values by , character
Can be indexed via an integer
- Starts at 0!!
- A negative integer means, "From the end"

my_list = ['Kevin', 'Knapp', 29]
print(my_list[0])
print(my_list[1])
print(my_list[2])

# PYTHON

List Slicing

Lists can be sliced to refer to a specific section of the list using the [:] characters and 0, 1, or 2 numbers
Using 0 numbers refers the to whole list

my_list[:]

The number before the : is the start index
The number after the : is the end index
Omitting either says, "Everything till the end, or from the beginning" respectivly

from_start_to_index_5[:5]
from_index_2_to_end[2:]
from_index_1_to_4[1:4]

A negative number for either start or end, simply reverses the index (i.e. from start or from end)
Start must ALWAYS be below End

# PYTHON

dict

A.k.a. hash-map or a key-value list
Keys do not need to be same type as value
Literal uses {, :, and }
Keys MUST not conflict
Values accesses via [ and ] with the key

person = {'first': 'Kevin',
          'last': 'Knapp',
          'age': 29 }
my_age = person['age']

# PYTHON

Set

An unordered list of UNIQUE items
Literals use { and }
Cannot be access via [ and ], but can be iterated
A good use is to remove duplicates from other collections

my_set = set()
my_set.add('kevin')

# PYTHON

Conditionals

Sometimes you want to take different actions based on certain conditions
Python provides if/else statements
Conditions use Boolean logic to determine which path to take

if some_expression_or_variable:
    # Actions take if TRUE
else:
    # Actions to take if FALSE

Python also provides multi-condition statements by adding elif

if some_expression_or_variable:
    # Actions take if TRUE
elif some_new_test:
    # Actions to take if TRUE
else:
    # Actions to take if all tests are FALSE

# PYTHON

Loops

Sometimes you need to do a specific operation multiple times
Python provides loops for these occasions
There are two types of loops in Python
- for
- while

# PYTHON

for Loop

Used when you need to do something a specific number of times, or for an entire collection of values
The syntax is

for value in some_collection:
    # do something

For example, to print every item in a list

my_list = ['item 1', 'item 2', 'item 3', 'item 4']
for item in my_list:
    print(item)

# PYTHON

for Loop Cont.

If you want to do something a specific number of times you can use the range() function (Functions will be covered later)

# say 'Hello' 10 times
for _ in range(10):
    print('Hello')

Notice we used the '_' character, that's because we didn't need the 'item' variable (in this case it would be a number). Alternatively if we wanted to use it to count we could do

# Count to 10
for num in range(1,11):
    print(num)
    print(',')

Note the start and end values passed to range

# PYTHON

Functions

Functions start with the def keyword, then the name, then parenthesis containing any optional arguments
Arguments are positional and mandatory (with one exception, more on this later...)
If functions wish to send the results back, they use the return keyword followed by the results variable or literal

# A function that takes 2 arguments and doesn't
# return a result
def my_function(some_arg, other_arg):
    # do some work here...

# A function that takes 0 arguments and
# returns a result
def my_other_function():
    # do some more work...
    return True

# PYTHON

Keyword Arguments

Keyword Arguments (a.k.a. kwargs/kargs) allow you to have optional arguments to a function or method (along with mixing the order)

def cool_function(name='kevin', age=29):
    # do stuff here
    return (name, age)

# use the function
n, a = cool_function(age=50)
print('name={}, age={}'.format(n,a))

kwargs can be mixed with positional args too

# PYTHON

Testing with a REPL

Read Evaluate Print Loop
Python's REPL is called IDLE
Accessed via 'python' command
- To stop, type 'quit()'
Most python modules are available, plus some extras (namely dir() )
Sessions non-persistent
Great for testing (and short term memory loss, aka 'getting old')

# PYTHON

{Ansible}

Controlling a Fleet

Ansible

Made by Red Hat
Automation via "scripting light"
Playbooks made up of Plays

---
- name: apply non-kernel updates
  hosts: "{{ HOSTS | default('web') }}"
  become: true
  gather_facts: false

  tasks:
  - name: upgrade all packages except kernel
    yum:
      name: '*'
      state: latest
      exclude: kernel*
    tags: all

  - name: upgrade all packages security related except kernel
    yum:
      name: '*'
      state: latest
      security: true
      exclude: kernel*
    tags: security

Written in YAML
Built-in Modules
Inventories!
Under the hood its a lot of Python
Can make your own modules in Python

# ANSIBLE

Inventories

---
all:
  children:
    controller:
      hosts:
        localhost:
          ansible_connection: local
    user_nodes:
      hosts:
        user01:
          ansible_host: 192.168.1.20
        user02: 
          ansible_host: 192.168.1.21
        user03: 
          ansible_host: 192.168.1.22
    database_server:
      hosts:
        db01:
        db02:
        db03:
    projext_x:
      children:
        user_nodes:
        database_server:

Written in YAML
Can group nodes
Groups can have children
Can use IPs or Hostnames

# ANSIBLE

Running Playbooks

$ ansible-playbook -i inventory_file playbook.yml

# ANSIBLE

{Day 02}

Containers, Containers, Containers

{Containers}

Buzzword Bingo

# What is a Container

Software bundled with all dependencies
- Sort of like a .ZIP with with special permissions
Has it's own "view" of the world (aka Namespace)
- Process Tree
- Network Stack
- Filesystem / mount points
- Resource Limits (CPU, RAM, etc)
- UID / GID
"Image" vs "Container"
"Container" vs "VM"

# What is a Container

Hardware

Linux Kernel

GNU Core Utilities

System Config

PKG MGMT

App

Container

GNU Core Utilities

System Config

PKG MGMT

App

Linux Kernel

GNU Core Utilities

System Config

PKG MGMT

App

Virtual

Hardware

# What is a Container

Hardware

Linux Kernel

GNU Core Utilities

System Config

PKG MGMT

App

Container

App

Linux Kernel

GNU Core Utilities

System Config

PKG MGMT

App

Virtual

Hardware

# Container Software

Kernel Built In
- LXC
- Namespaces
- CGroups

User Facing
- Docker
- Podman

Orchestration Layer
- Kubernetes
- Nomad
- Rancher

# Container Software

Install Docker

$ curl -LSs https://get.docker.com | sh
$ sudo usermod -aG docker $USER
$ sudo systemctl enable --now docker

Install Podman

$ sudo dnf install podman

# Container Software

Testing It Out

$ docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

$ podman run hello-world
 
 [...]

# Container Software

Fedora Toolbox

$ sudo dnf install toolbox

$ toolbox enter

Creates an overlay system with a shared home directory

Great for testing and development!

# docker-compose

Allows cooperative containers
Helps sharing resources such as mounts or networks
Declarative YAML format file
Will eventually be integrated into the actual docker command line tool

version: "2"

services:
  bookstack:
    image: lscr.io/linuxserver/bookstack
    container_name: bookstack
    environment:
      - APP_URL=http://localhost/
      - DB_HOST=bookstack_db
      - DB_USER=bookstackuser
      - DB_PASS=bookstackpass
      - DB_DATABASE=bookstackapp
      - PUID=996
      - PGID=994
    ports:
      - 6875:80
    depends_on:
      - bookstack_db
    networks:
      - bookstack-tier
    restart: unless-stopped
    volumes:
      - ./data:/config


  bookstack_db:
    image: lscr.io/linuxserver/mariadb
    container_name: bookstack_db
    networks:
      - bookstack-tier
    environment:
      - MYSQL_ROOT_PASSWORD=bookstackdbrootpass
      - TZ=America/New_York
      - MYSQL_DATABASE=bookstackapp
      - MYSQL_USER=bookstackuser
      - MYSQL_PASSWORD=bookstackpass
      - PUID=996
      - PGID=994
    restart: unless-stopped
    volumes:
      - ./data:/config

networks:
  bookstack-tier:
    driver: bridge

$ sudo dnf install docker-compose

$ sudo dnf install podman-compose

{Container Alternatives}

VMs, and alternative tools

# VAGRANT

$ sudo dnf install vagrant
$ vagrant init hashicorp/bionic64
$ vagrant up
  Bringing machine 'default' up with 'virtualbox' provider...
  ==> default: Importing base box 'hashicorp/bionic64'...
  ==> default: Forwarding ports...
  default: 22 (guest)
  => 2222 (host) (adapter 1)
  ==> default: Waiting for machine to boot...
 
$ vagrant ssh
  vagrant@bionic64:~$ _

Allows for creating VMs from Code
Under the hood uses Virtual Box or other hypervisors
Each VM is configured with Ruby scripts
Can then provision VMs using inline shell, or dedicated shell scripts
EXCELLENT for test environments!

# VAGRANTFILE

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/bionic64"
  config.vm.synced_folder ".", "/vagrant", disabled: true

  # StandAlone Server Only
  config.vm.define "server2" do |server2|
    server2.vm.network "private_network", ip: "192.168.42.20",
      virtualbox__intnet: "thnet"

    server2.vm.provider "virtualbox" do |vb|
      vb.name = "server2"
      vb.memory = "1024"
    end

    server2.vm.provision :shell, path: "./bootstrap_server.sh"
  end

  # Sensor to Server/Sensor
  config.vm.define "sensor1" do |sensor1|
    sensor1.vm.network "private_network", ip: "192.168.42.11",
      virtualbox__intnet: "thnet"

    sensor1.vm.provider "virtualbox" do |vb|
      vb.name = "sensor1"
      vb.memory = "1024"
    end

    sensor1.vm.provision :shell, path: "./bootstrap_sensor.sh"
  end

  # APT Repo
  config.vm.define "repo" do |repo|
    repo.vm.network "private_network", ip: "192.168.42.2",
      virtualbox__intnet: "thnet"

    repo.vm.provider "virtualbox" do |vb|
      vb.name = "repo"
      vb.memory = "1024"
    end

    repo.vm.provision :file, source: '../pkgs/deps.tgz', destination: "/home/vagrant/"
    repo.vm.provision :shell, path: "../bootstrap_repo.sh"
  end
end

# LXD

Made by Canonical
Orchestrate containers
- Can also do VMs with --vm
Easy snapshot and restore

$ sudo snap install lxd
$ sudo lxd init
$ lxc launch ubuntu:20.04 [--vm]

# MULTIPASS

$ sudo snap install multipass
$ multipass launch

Made by Canonical
Easy VMs from the command line

{Custom Images}

Have it your way

# DOCKERFILE

# Dockerfile
FROM alpine:latest
RUN apk add python3
ENTRYPOINT ["python3", "-m", "http.server"]

$ docker build -t pyserv .
 
$ docker image ls
REPOSITORY    TAG           IMAGE ID       CREATED         SIZE
pyserv        latest        fec6935a627e   3 minutes ago   54MB

Declarative document for building container images
Should be checked in to version control

Each directive creates a "layer" which is built upon (and can lead to huge sizes!)

# DOCKERFILE LINTS

$ docker run --rm -i hadolint/hadolint < Dockerfile

Unable to find image 'hadolint/hadolint:latest' locally
latest: Pulling from hadolint/hadolint
d0727728368a: Pull complete
Digest: sha256:1b47f3192d2c69c622863b84d5cccbfa0c1fac9022bfc297aa931e6d44e51608
Status: Downloaded newer image for hadolint/hadolint:latest
-:1 DL3007 warning: Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag
-:2 DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
-:2 DL3019 info: Use the `--no-cache` switch to avoid the need to use `--update` and remove `/var/cache/apk/*` when done installing packages

Lint your Dockerfiles!

https://github.com/hadolint/hadolint

# Container Registries

Repositories (public and private) for container images
Allows easily sharing and pulling images
Public Registries
- Docker Hub
- Quay.io
- AWS
- Others...

GitLab contains per-repository Registries

# Container Registries

Can also export containers, or save images to TAR files
These can then be loaded on another system

$ docker save pyserv -o pyserv.tar

$ ls -l
   inode Permissions Links Size Blocks User  Group Date Modified Name
62391693 .rw-r--r--@     1   83      8 kevin kevin 15 Jan 14:48  Dockerfile
62391694 .rw-------@     1 54Mi 110264 kevin kevin 15 Jan 14:57  pyserv.tar

$ tar tf pyserv.tar
9ba2039e49404b3ae8654f99e9d22564cfbeaf6588ec1c06ac048a5357853341/
9ba2039e49404b3ae8654f99e9d22564cfbeaf6588ec1c06ac048a5357853341/VERSION
9ba2039e49404b3ae8654f99e9d22564cfbeaf6588ec1c06ac048a5357853341/json
9ba2039e49404b3ae8654f99e9d22564cfbeaf6588ec1c06ac048a5357853341/layer.tar
fc9537bd0694747ea59e49ff8617bf343626b0fb3a4657c0cb8f02c859c4f909/
fc9537bd0694747ea59e49ff8617bf343626b0fb3a4657c0cb8f02c859c4f909/VERSION
fc9537bd0694747ea59e49ff8617bf343626b0fb3a4657c0cb8f02c859c4f909/json
fc9537bd0694747ea59e49ff8617bf343626b0fb3a4657c0cb8f02c859c4f909/layer.tar
fec6935a627eb73a17b0269f95aa5cda4b1c5d70c032c87e333d7827ce1d4154.json
manifest.json
repositories

# Working with Images

Tips for working with Container Images and Layers

$ curl -OL \
  https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.rpm
$ sudo dnf install ./dive*.rpm

https://github.com/wagoodman/dive

{Recipes}

Scripting...lite

github.com/casey/just

# JUST

$ curl \
  --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh | \
  bash -s -- --to ~/.local/bin/

github.com/stepchowfun/toast

# TOAST

image: ubuntu
tasks:
  install_figlet:
    command: |
      apt-get update
      apt-get install --yes figlet

  greet:
    dependencies:
      - install_figlet 
    command: figlet 'Hello, World!'

$ curl https://raw.githubusercontent.com/stepchowfun/toast/main/install.sh -LSfs | sh

{Day 03}

Monitoring, Remote Admin, and Hardening

{Monitoring}

Watching everything

# MONITORING

Known Requirements
Ephemeral Data
Useful in Troubleshooting
May not be useful long term

Live

Historical

Long term storage
Can "go back in time" to visualize events
May be raw/unprocessed data

Actioned

Actions taken on events
AKA Alerting
May spawn more logging
Consider attribution!

Built In-(ish) Monitoring

# MONITORING

The tops (top, memtop, ptop, sntop, vtop, htop)
- + Modern Alternatives
ps, free, du (and family), df, lsblk, watch
systemd
network monitoring utilities
- Basic tools can be used to view the state of the system (ip, ifconfig, netstat, lsof, iptables, tcpdump, ping, nslookup, arp, traceroute/mtr)
- nethogs

Consider the difference between local node monitoring, and "entire system" monitoring

# CONTAINER MONITORING

$ docker stats
CONTAINER ID   NAME                      CPU %     MEM USAGE / LIMIT    MEM %     NET I/O           BLOCK I/O         PIDS
036b8ad6c7c2   tak_takserver_1           1.82%     5.313GiB / 31.4GiB   16.92%    444MB / 2.08GB    0B / 1.13MB       368
a3c79a328776   tak_pg_1                  0.11%     259.1MiB / 31.4GiB   0.81%     927MB / 183MB     16.4kB / 2.96GB   10
3a36813ff86c   tak_openfire_1            0.12%     678.7MiB / 31.4GiB   2.11%     9.01MB / 12.2MB   0B / 852kB        64
b360b0eee623   metrics_node-exporter_1   0.00%     21.22MiB / 31.4GiB   0.07%     0B / 0B           17.9MB / 0B       19
73be46dd33fa   metrics_cadvisor_1        6.09%     202MiB / 31.4GiB     0.63%     155MB / 8.29GB    31.4MB / 0B       42

docker stats

https://github.com/jesseduffield/lazydocker

# PROMETHEUS

Time Series Database
Primarily a "Pull/Scrape" Methodology
- Does support a "Push Gateway"
Metrics are provided by the logged application via "Exporters"
Uses a Query Language called PromQL
Great for ad-hoc queries and basic visualization

# Graphana

The visualization tool of choice
Works amazing with Prometheus (and many other databases too)
Has a decent learning curve
Can download/use pre-made dashboards
Many Prometheus Exporters come with Graphana dashboards

Key Dashboards / Exporters
- node_exporter
- cAdvisor

# Graphana - NODE_EXPORTER

# Graphana - CADVISOR

{Private Services}

Remote Services...but private

# CONNECTIVITY

Internal vs. External Connectivity
Common
- SSH (Derivatives; Mosh, Auto-SSH, sshuttle etc.)
- wstunnel, stunnel, OBFSProxy
- Layer 3 VPNs
  - IPSec
  - OpenVPN
  - Tinc
  - Wireguard (Derivatives; Nebula, Tailscale, Innernet, etc.)
- Layer 2 VPNs
  - ZeroTier

# WIREGUARD

In Kernel (userspace implementations and kmods exist too)
Noise Protocol
Simple (vs. easy)
ChaCha20Poly1305
- Performance
- Efficiency (i.e. battery life)
NOT Configurable
Low Level Primitive
Possibly Quantum Resistant with Optional PSK

# WIREGUARD

$ sudo dnf install wireguard-tools
$ sudo mkdir /etc/wireguard
$ cd /etc/wireguard
$ sudo wg genkey | tee hub.private | wg pubkey > hub.public
$ sudo wg genkey | tee client.private | wg pubkey > client.public

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = 2DiO+Ox5cURGbFLWniVmx/N1laqYGIZpv/IPDuiYkVg=
Address = 10.10.10.1/24
ListenPort = 51820
DNS = 1.1.1.1

# Client
[Peer]
PublicKey = hrbwZZxxjVuP7QvlWm9YDyg+40ftgQo5mKRrWmekpFw=
AllowedIPs = 10.10.10.2/32
PersistentKeepalive = 25

$ sudo systemctl enable --now wg-quick@wg0

# SSH CONFIG FILES

Host myserver
  HostName 51.127.128.14
  User kevink
  IdentityFile ~/.ssh/roshi
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentitiesOnly yes
  LogLevel FATAL
  Compression yes
  Port 22

Use them!
Makes SSH (and SCP) a breeze to use
Stored in ~/.ssh/config

Supports Globs and ! syntax
Can be overridden with

-F FILE

-o "option=value"

# SSH TUNNELS

Can be used to forward *local* traffic to a remote server (extremely useful for remote dashboards)
Can be used to forward local through *through* a remote server (i.e. a poor man's VPN)

$ ssh user@host -L 8080:127.0.0.1:3000 -N

can be specified multiple times

$ pip3 install --upgrade --user sshuttle
$ sshuttle -r user@host 0.0.0.0/0

can be used to exclude subnets

-x

-L

{Easy Mode Remote Admin}

Enough of this terminal...

# COCKPIT

A Web GUI for your servers
Made by Redhat
Works on Ubuntu based distros as well
Additional plugins control things like Containers, VMs, etc.
Can be used for local machine too!

$ sudo dnf install cockpit
$ sudo systemctl enable --now cockpit cockpit.socket
$ sudo firewall-cmd --permanent --zone=public --add-service=cockpit
$ sudo firewall-cmd --reload

{Hardening}

Make 'em work for it

# HARDENING

Shotgun Blast vs Targeted
Whats the goal: Meeting a policy?
Consider a Zero Trust Model
Types of hardening, and from whom:
- Network
- System
- Application
Schedule Red Team Assessments (even if only internal)

The Most Low Hanging Fruit Will Be the Exploit!

The defense must be correct 100% of the time, but the offense only needs to be correct once!

Many issues boil down to permissions

# SSH HARDENING

If you do nothing else - Do this

PermitRootLogin prohibit-password # or 'no' even better
PasswordAuthentication yes # Normally this should be 'no'
PrintLastLog yes
PermitEmptyPasswords no
MaxAuthTries 3
ClientAliveInterval 200
ClientAliveCountMax 3
MaxSessions 3
HostbasedAuthentication no

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

$ sudo chown root:root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
$ sudo systemctl restart sshd

# RUST-MOTD

github.com/rust-motd/rust-motd

Configure via: $HOME/.config/rust-motd/config.toml

[service_status]
docker = "docker"
gitlab-runner = "gitlab-runner"

[uptime]
prefix = "Up"

[filesystems]
root = "/"

[fail_2_ban]
jails = ["sshd", "anotherjail"]

[last_login]
kevin = 2
root = 3

[last_run]

# SYSTEMD SERVICE HARDENING

We can harden on a per-service basis

This should be the first thing you reach for!

$ sudo systemd-analyze security
UNIT             EXPOSURE PREDICATE
atd.service           9.6 UNSAFE
crond.service         9.6 UNSAFE
httpd.service         9.2 UNSAFE
mariadb.service       8.8 EXPOSED
sshd.service          9.6 UNSAFE

$ sudo systemd-analyze security httpd.service
  NAME                   DESCRIPTION                                          EXPOSURE
✗ PrivateDevices         Service potentially has access to hardware devices        0.2
✓ PrivateTmp             Service has no access to other software's temporary files
✗ ProtectControlGroups   Service may modify to the control group file system       0.2
✗ ProtectHome            Service has full access to home directories               0.2
✗ ProtectKernelTunables  Service may alter kernel tunables                         0.2
✗ ProtectSystem          Service has full access to the OS file hierarchy          0.2
✗ RestrictSUIDSGID       Service may create SUID/SGID files                        0.2
✗ RootDirectory          Service runs within the host's root directory             0.1
…
→ Overall exposure level for httpd.service: 9.2 UNSAFE

Full list of systemd service unit options

# FAIL2BAN

Ban IPs based on failed login attempts

There are times fail2ban isn't as useful as you'd think

$ sudo dnf install fail2ban

$ sudo cp /etc/fail2ban/fail2ban.{conf,local}
$ sudo cp /etc/fail2ban/jail.{conf,local}

$ sudo systemctl enable --now fail2ban

$ sudo tail -f /var/log/fail2ban.log

To see "jailed" IPs

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

# unban an IP
$ sudo fail2ban-client set sshd unbanip 1.2.3.4

# CROWDSEC

github.com/crowdsecurity/crowdsec

"CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network"

Similar to a distributed fail2ban
Requires a detection engine + a "bouncer"

# HARDENING

CentOS Hardening will be covered in Day 04 via OpenSCAP

# UBUNTU-HARDENING

github.com/konstruktoid/hardening

$ git clone https://github.com/konstruktoid/hardening
$ cd hardening
$ sed -i "s/CHANGEME=''/CHANGEME=foo" ubuntu.cfg
$ sudo bash ubuntu.sh

Primarily only good for Ubuntu based systems, however some of the internal scripts are applicable across many distros

{SELinux}

Oh no...

# SELINUX

One of two popular Linux Security Module (LSM) (a third is being built)
- AppArmor (Ubuntu) and Sandbox are the other two
Originally developed by NSA
Now maintained by Red Hat and the default LSM on RHEL based distros
A reputation for being extremely complex
Most people unfortunately just disable it

Three Primary Modes:

Enforcing
Permissive
Disabled

# SELINUX

Configuration File: /etc/selinux/config

# Get the current mode
$ sudo getenforce
$ sudo sestatus

# Temporarily Change Modes
$ sudo setenforce [enforcing|permissive|1|0]

Common Commands:

getenforce | setenforce
semanage [boolean|port|fcontext] [-l]
ausearch
chcon | restorecon | matchpathcon
semodule

# SELINUX CONTEXT LABELS

Uses a MAC pattern vs traditional Unix DAC pattern
Fundamentally all files contain "labels" which consist of contexts in the form of
- USER : ROLE : TYPE : LEVEL
- suffixed _u, _r, _t (and prefix s)
Adding -Z to a command will display SELinux information, such as with ls or ps

$ ps -eZ
LABEL                               PID TTY          TIME CMD
system_u:system_r:init_t:s0           1 ?        00:00:14 systemd
system_u:system_r:kernel_t:s0         2 ?        00:00:00 kthreadd
system_u:system_r:httpd_t:s0      25134 ?        00:00:00 httpd

restorecon PATH will set the file context to whatever the system configuration specifies (view or change with semanage fcontext [--list])

# SELINUX FCONTEXT

restorecon PATH will set the file context to whatever the system configuration specifies (view or change with semanage fcontext [--list])

$ sudo semanage fcontext -l
SELinux fcontext                    type               Context

/home                               directory          system_u:object_r:home_root_t:s0
/home                               symbolic link      system_u:object_r:home_root_t:s0
/home/(.*/)?\.snapshots(/.*)?       all files     

$ sudo semanage fcontext -a -t unconfined_u:object_r:user_home_t:s0 /home
$ sudo restorecon -v -r /home

Caution

files retain the context they had previously
files *may not* retain the context they had previously
files inherit the context of the parent directory

MOVED

COPIED

CREATED

# SELINUX BOOLEANS

Booleans are on/off switches

List with semanage boolean --list

$ sudo semanage boolean -l
SELinux boolean                State  Default Description
  ...
xend_run_blktap                (on   ,   on)  Allow xend to run blktap
xend_run_qemu                  (on   ,   on)  Allow xend to run qemu
xguest_connect_network         (on   ,   on)  Allow xguest to connect network
xguest_exec_content            (on   ,   on)  Allow xguest to exec content
xguest_mount_media             (on   ,   on)  Allow xguest to mount media
  ...
  
$ setsbool [-P] xguest_connect_network off

Means permanent

-P

# SELINUX PORTS

The Firewall **AND** SELinux Control Network Access

List with semanage port --list

$ sudo semanage port -l
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs_fs_port_t                  udp      7000, 7005
afs_ka_port_t                  udp      7004
amanda_port_t                  tcp      10080-10083
amqp_port_t                    tcp      15672, 5671-5672
amqp_port_t                    udp      5671-5672
asterisk_port_t                udp      2427, 2727, 4569
  
$ sudo semanage port -a -p udp -t asterisk_port_t 8989

Means ADD

-a

Means DELETE

-d

Means MODIFY

-m

# SELINUX TROUBLESHOOTING

ausearch is most helpful in displaying errors

$ sudo ausearch -m avc -ts recent
----
time->Tue Dec 21 10:15:53 2021
type=AVC msg=audit(1640099753.877:245): avc:  denied  { write } for  pid=2368 comm="flatpak" name="system_bus_socket" dev="tmpfs" ino=2513 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
----
time->Tue Dec 21 10:15:53 2021
type=AVC msg=audit(1640099753.893:246): avc:  denied  { write } for  pid=2370 comm="flatpak" name="system_bus_socket" dev="tmpfs" ino=2513 scontext=system_u:system_r:fedoratp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
----

Narrow down to a specific component (comm= above) with -c
Other valid time values: this-year, this-month, week-ago, yesterday, today, boot, now
audit2allow can be used to create a custom policy (and loaded via semodule)

# SELINUX

Instead of setting the entire system to permissive, consider changing just the problem domain

$ ps -eZ
LABEL                               PID TTY          TIME CMD
system_u:system_r:init_t:s0           1 ?        00:00:14 systemd
system_u:system_r:kernel_t:s0         2 ?        00:00:00 kthreadd
system_u:system_r:httpd_t:s0      25134 ?        00:00:00 httpd

$ sudo semanage permissive -a httpd_t

Means ADD

-a

Means DELETE

-d

Means MODIFY

-m

{Firewalls}

Not in my house

# IPTABLES

Rule based firewalls
Rules are designated for different "chains" which are part of different "tables"
Each packet is filtered through these chains of rules, one after the other
At each rule, the kernel decides whether to perform an action (such as drop) on the packet if it matches the rule, or let it continue processing
- The action may be something simple like, "log and continue processing" or "allow"
The packet is sent through these chains of rules and through the different tables until either an action is performed on the packet that drops it, or ultimately the default rule is applied (i.e. it makes it all the way through all rules of all chains of all tables)
Packets can match multiple rules, but are processed in order
Let's visualize this...

# IPTABLES

Chains

In it's simplest form (the default table known as the FILTER table), there are three chains in order of processing
- INPUT: Packets coming in
- FORWARD: Packets being forwarded
- OUTPUT: Packets going out
When we talk about tables, different tables may have different chains

# IPTABLES

Tables

Although you'll primarily use the default table, there is one other table you should know
- nat
The nat table includes the following four chains in order of processing:
- PREROUTING
- INPUT
- OUTPUT
- POSTROUTING

# IPTABLES

Rule Syntax

The first thing you should know: iptables -L
- Lists the chains for the default table
- The table can be changed with -t <TABLE>
One can "Flush" or reset the rules of a table with -F
- iptables -F
- iptables -t nat -F
Before we spoke about the default policy, which is if the rule makes it to the end of a chain, what should happen.
- By default the policy is ALLOW for all chains
- You can change the policy of a particular chain with -P
  - iptables -P INPUT DROP

# IPTABLES

Policy

When changing the default policy, ESPECIALLY of a remote box, be sure not to cut your current connection
By default iptables rules are non-persistent and will be reset on reboot
We can save and restore rulesets with
- iptables-save > /tmp/iptables-v4
- iptables-restore < /tmp/iptables-v4
There are packages which will do this for us automatically at boot
- iptables-persistent
  - To save (which will auto restore at next boot):
    - dpkg-reconfigure iptables-persistent

# IPTABLES

Modifying Chains

Rules can be modified (appended, inserted, or deleted) on chains with these various commands

Command	Function
iptables -A <CHAIN>	"Append" a rule at the bottom of <CHAIN>
tcpdump -I <CHAIN> <NUM>	Insert a rule on <CHAIN> and rule number <NUM>
iptables -D <CHAIN> <NUM>	Delete rule number <NUM> from <CHAIN>

TIP: it can be helpful to use the `--line-numbers` option which will display the line numbers of the rules for easier inserting/deleting

# IPTABLES

Rules

Now that we know how to view tables and chains, and list or modify the current rules, we actually learn about the rules themselves
Most rules are similar to using tcpdump, you can specify "filters" to match packets
There are various flags and switches which modify or add these filters to the rule
Some flags/switches enable other flags and switches
- These are known as "match extensions"

# IPTABLES

Rules

Option / Flag	Function
-j <ACTION>	What to do with the packet. Normally: * ACCEPT * LOG * DROP * MASQUERADE
-p [!] <PROTO>	Match a particular protocol like 'tcp' or 'udp'
-i <IFACE>	Match only on input interface <IFACE>. If '!' is included it reverses the rule
-d [!] <IP>[/cidr]	Destination IP/network. If '!' is included it reverses the rule
-s [!] <IP>	Source IP/network. If '!' is included it reverses the rule
-o <IFACE>	Only match output interface <IFACE>
-m <NAME>	Performs a "match" matches can be thought of as "modules" and enable other "matching options/flags" More on this later...
--dport <NUM>	Destination port
--sport <NUM>	Source port

Common Rule options/switches

# IPTABLES

Matches

Option / Flag	Function
-m conntrack	Adds a --ctstate <STATE> flag where you can match connection states * ESTABLISHED * RELATED * NEW * INVALID Can be comma separated like ESTABLISHED,RELATED Also adds --ctproto
-m comment	Allows adding comments with --comment "some comment"
-m multiport	Allows matching on more than one port with --dports <port1,port2>
-m iprange	Allows --src-range and --dst-range for a range of IPs
-m log	Adds --log-level <#> to only log at specified logging levels
-m udp OR -m tcp	Adds --sport and --dport that will match only TCP or UDP ports

Common match names (modules)

List of all extensions: http://ipset.netfilter.org/iptables-extensions.man.html

# IPTABLES

Tips

When working with iptables open two terminals, or a split screen
In one screen run the iptables commands
In the other run:
- watch -n 1 iptables -L --line-numbers

# IPTABLES

# IPTABLES

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-N port-scanning
-N syn_flood
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --syn -j syn_flood
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix PING-DROP
-A INPUT -p icmp -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 80 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
-A syn_flood -m limit --limit 1/sec --limit-burst 3 -j RETURN
-A syn_flood -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
COMMIT

# IPTABLES

[Unit]
Description=Packet Filtering Framework
After=network-online.target
Requires=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/iptables-restore /etc/ipv4.rules
ExecReload=/sbin/iptables-restore /etc/ipv4.rules
ExecStop=/sbin/iptables -P INPUT ACCEPT
ExecStop=/sbin/iptables -P FORWARD ACCEPT
ExecStop=/sbin/iptables -F

[Install]
WantedBy=multi-user.target

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now iptables.service

Enable IP Forwarding

In order to use the FORWARD chains or any nat'ing you'll have to enable IP forwarding in the kernel
To check if forwarding is already enabled
- $ cat /proc/sys/net/ipv4/ip_forward
- if you see a 0 fowarding is NOT enabled
- if you see a 1 forwarding is enabled
To enable forwarding use
- # echo 1 > /proc/sys/net/ipv4/ip_forward

# IPTABLES

The Uncomplicated FireWall

Default in Ubuntu based distros
Uses iptables under the hood
Sometimes deceptively "simple"

# UFW

$ sudo ufw status
ufw: active

$ sudo ufw allow ssh/tcp
$ sudo ufw deny 8888/udp
$ sudo ufw limit 80/tcp
$ sudo ufw deny from 192.168.1.100/24 on eth0 proto any

Default in RHEL based distros
Uses nftables under the hood by default (can be switched to iptables)
MUCH easier (but larger!) CLI
Still a complex system due to trying to paper over a complex system
Focuses on "zones"
Can be controlled via XML files on the system...(blech)
Ephemeral!
- Don't forget --reload or --permanent
Supports raw iptables syntax too

# FIREWALLD

$ sudo firewall-cmd --state
$ sudo firewall-cmd --get-*
$ sudo firewall-cmd --zone=internal --add-port=25/tcp

# IPTABLES

How does this compare to nftables?
Where does firewalld and firewall-cmd fit in?
What about ufw?

Outstanding Questions

{Day 04}

Scanning, Recap and Capstone

{Scanning}

Tell me what's wrong

# LYNIS

Automated heath and security scanning for Linux

# LinPEAS

Searches for Privilege Escalation Paths

Can also be 'curl | bash'ed

# OpenSCAP

Very comprehensive scan against "policies"
Generates a nice interactive HTML report
Can generate "remediation" fixes in either shell scripts or Ansible playbooks based on findings
Used to meet "enterprise" standards

Some distros lack the needed "policies" (Ubuntu)
Some distros require workarounds (CentOS)

Running an OpenSCAP Scan

# OpenSCAP

$ sudo dnf install -y openscap-scanner scap-security-guide

$ sudo oscap xccdf eval \
	--profile xccdf_org.ssgproject.content_profile_stig \
	--report $(hostname)-scap-report.$(date +%Y%m%d).html \
	--results $(hostname)-scap-xccdf.$(date +%Y%m%d).xml \
	--cpe /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml \
	--fetch-remote-resources \
	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    
# first scan gives `notapplicable` for everything
# The workaround...

$ sudo cp /usr/share/openscap/cpe/openscap-cpe-dict.xml{,.dist}
$ sudo cp /usr/share/openscap/cpe/openscap-cpe-oval.xml{,.dist}
$ sudo curl -L \
  https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-dict.xml \
  -o /usr/share/openscap/cpe/openscap-cpe-dict.xml
$ sudo curl -L \
  https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-oval.xml \
  -o /usr/share/openscap/cpe/openscap-cpe-oval.xml
$ sudo sed -i \
-e 's|idref="cpe:/o:redhat:enterprise_linux|idref="cpe:/o:centos:centos|g' \
-e 's|ref_id="cpe:/o:redhat:enterprise_linux|ref_id="cpe:/o:centos:centos|g' \
/usr/share/xml/scap/ssg/content/ssg-rhel*.xml

OpenSCAP Workbench

# OpenSCAP

{Q&A}

Questions?

{Capstone}

Now do it.

Student	Control	Back Proxy	Front Proxy
Student01	137.184.98.24 10.136.0.3	143.198.167.106 10.136.0.2	104.248.115.67 10.136.0.22
Student02	159.223.122.166 10.136.0.9	137.184.158.238 10.136.0.19	198.211.99.131 10.136.0.31
Student03	159.223.114.187 10.136.0.7	159.223.96.252 10.136.0.21	104.248.115.77 10.136.0.23
Student04	137.184.219.176 10.136.0.5	147.182.186.155 10.136.0.13	104.248.115.87 10.136.0.25
Student05	137.184.195.184 10.136.0.4	137.184.99.29 10.136.0.17	104.248.115.102 10.136.0.28
Student06	159.223.118.134 10.136.0.12	147.182.218.170 10.136.0.14	104.248.115.84 10.136.0.24
Student07	159.223.122.250 10.136.0.10	137.184.63.109 10.136.0.15	104.248.115.99 10.136.0.27
Student08	159.223.122.135 10.136.0.8	137.184.213.156 10.136.0.20	104.248.115.90 10.136.0.26
Student09	159.223.114.42 10.136.0.6	137.184.135.121 10.136.0.18	104.248.115.120 10.136.0.29
Student10	159.223.118.112 10.136.0.11	137.184.105.180 10.136.0.16	104.248.115.132 10.136.0.30

# IP SPACE

# DIAGRAM

{Digital Safe}

1

2

3

4

Fedora (35)

Taking Notes

{Day 01}

{Procurement}

1.

2.

3.

{Attribution}

Attribution Pillars

{Linux}

{Shell Setup}

Combining Commands (Pipes)

Redirecting

Special Redirecting

Oh My ZSH

Auto Suggestions

Syntax Highlighting

Abbrev Alias

Built In Plugins

Custom Prompts - Starship

FZF - The Fuzzy Finder

Navi - Personal Cheat Sheet

Navi Cheats Example

{Pre-Scripting}

Variables

Variable Continued

Creating and Using Variables

{Substitutions and Expansion}

{Version Control}

Basics

Branching

Branches (cont.)

github.com (and alternatives)

{Scripting}

Making a Script

Running a Script

Making Scripts Executable

Modifying $PATH

Loops

Loops in Scripts

Making Decisions

Caveat to Conditionals

Failing

{Python}

What is Python?

Why use Python?

Variables

Types

Strings

Lists

List Slicing

dict

Set

Conditionals

Loops

for Loop

for Loop Cont.

Functions

Keyword Arguments

Testing with a REPL

{Ansible}

Ansible

Inventories

Running Playbooks

{Day 02}

{Containers}

{Container Alternatives}

{Custom Images}

{Recipes}

github.com/stepchowfun/toast

{Day 03}

{Monitoring}

Live

Historical

Actioned