Automated Code/Infra Scanning
Toward the top, as automated scanning of code and infrastructure is the first line of defense against security compromise.
- Semgrep: Static Analysis at ludicrous speed.
- tfsec: Terraform Security Scanner
- GovReady Github: An entire Government sponsored site that integrates open source tools into government standards. Policies for CentOS and Ubuntu exist, as well as a lot of other resources.
- OpenSCAP: Open source tool to read and evaluate system security based on SCAP standards
- Lynis: Another security scanner for Linux/Unix systems, focusing around common standards and best practices. Seems far easier to install and configure than OpenSCAP.
- Free CyberSecurity Services and Tools - CISA
- Configuration Standards
- Endian: Appliance for security and hotspot management
- IPFire: Linux based firewall distro
- Mailu: Docker based e-mail system. If I were to deploy a mail system today, this would be the basis. Granted, I feel that there is limited justification for hosting one’s own mail system.
- Odessa: Alternative to Autopsy/Sleuth Kit for Open Source forensics work.
- OPNSense: OpenBSD based firewall. Prefer it architecturally to pfSense
- Snort: Open source intrusion detection system.
- Let’s Encrypt: Freely available certificates for websites. Requires a client as the certficates are only valid for 90 days, but many clients exist. I currently use EFF Certbot
- Zero SSL: Method to obtain Let’s Encrypt Certificates without installation. *WARNING:- If
using their website tools, you are completely trusting this site. Do not do this for any site in which sensitive information
will be transmitted! Although honestly, those type of sites should probably purchase an EV certification.
- Also supports 1 year certificates, and ACME protocol integration. I nice alternative SSL provider if needed
- Step-CA - Automated on-prem solution. Needs additional research - and more inclinded to just leverage SSL Private CA below.
SSL Private CA
- Build a CA
- See JamieLinux.com for a good walkthrough.
- Build a new certificate
openssl req -out mydomain.csr -new -sha256 -newkey rsa:2048 -nodes -keyout mydoamin.key
- Country: US
- State: Michigan
- Locality Name: Full City Name
- Organization Name: Company
- Organizational Unit: Department
- Common name: fqdn.mydomain.com
- Email: blank
- Defaults for rest
- Sign Certificate
openssl ca -config openssl.cnf -in mydomain.csr -out mydomain.crt
Using a Private CA - Cert Manager
Create a secrete with the crt and key above (base64 encoded)
kubectl create secret tls internalca --cert=path/to/cert/file --key=path/to/key/file
Then create an issuer for that key
kubectl apply -f - <EOF apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: ca-issuer spec: ca: secretName: internalca EOF