Security

Authentication

• Securing Git with SSH and FIDO security keys

Automated Code/Infra Scanning

Toward the top, as automated scanning of code and infrastructure is the first line of defense against security compromise.

• Semgrep: Static Analysis at ludicrous speed.
  • Includes Docker and Kubernetes analysis
• tfsec: Terraform Security Scanner

Infrastructure Scanning

• GovReady Github: An entire Government sponsored site that integrates open source tools into government standards. Policies for CentOS and Ubuntu exist, as well as a lot of other resources.
• OpenSCAP: Open source tool to read and evaluate system security based on SCAP standards
• Lynis: Another security scanner for Linux/Unix systems, focusing around common standards and best practices. Seems far easier to install and configure than OpenSCAP.

General Info

• Free CyberSecurity Services and Tools - CISA
• Configuration Standards
  • Center for Internet Security: Provides configuration guides for common OS and server software.
  • Linux Foundation Workstation Guidelines: Excellent overview for securely configuring a Linux workstation
• Endian: Appliance for security and hotspot management
• IPFire: Linux based firewall distro
• Mailu: Docker based e-mail system. If I were to deploy a mail system today, this would be the basis. Granted, I feel that there is limited justification for hosting one’s own mail system.
• Odessa: Alternative to Autopsy/Sleuth Kit for Open Source forensics work.
• OPNSense: OpenBSD based firewall. Prefer it architecturally to pfSense
• Snort: Open source intrusion detection system.

SSL/TLS Information

• Let’s Encrypt: Freely available certificates for websites. Requires a client as the certficates are only valid for 90 days, but many clients exist. I currently use EFF Certbot
• Zero SSL: Method to obtain Let’s Encrypt Certificates without installation. *WARNING:- If using their website tools, you are completely trusting this site. Do not do this for any site in which sensitive information will be transmitted! Although honestly, those type of sites should probably purchase an EV certification.
  • Also supports 1 year certificates, and ACME protocol integration. I nice alternative SSL provider if needed
• Step-CA - Automated on-prem solution. Needs additional research - and more inclinded to just leverage SSL Private CA below.

SSL Private CA

• Build a CA
  • See JamieLinux.com for a good walkthrough.
• Build a new certificate

  openssl req -out mydomain.csr -new -sha256 -newkey rsa:2048 -nodes -keyout mydoamin.key

• Parameters
  • Country: US
  • State: Michigan
  • Locality Name: Full City Name
  • Organization Name: Company
  • Organizational Unit: Department
  • Common name: fqdn.mydomain.com
  • Email: blank
  • Defaults for rest
• Sign Certificate

  openssl ca -config openssl.cnf -in mydomain.csr -out mydomain.crt

Using a Private CA - Cert Manager

Leveraging cert-manager

Create a secrete with the crt and key above (base64 encoded)

kubectl create secret tls internalca --cert=path/to/cert/file --key=path/to/key/file

Then create an issuer for that key

kubectl apply -f - <EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: internalca
EOF

Reading

• Lessons From Reviewing Postmortems
• The Problem with PGP