Categories
ITOps Random

OpenVPN – Docker Quick Start

Quick and easy VPN setup using OpenVPN Docker image, on Amazon Linux 2023.

References

Installation steps

Install docker on amazon linux 2023

dnf update -y dnf install docker -y systemctl enable docker systemctl start docker

OpenVPN Access Server Docker Image

# see: https://openvpn.net/as-docs/docker.html#run-the-docker-container docker pull openvpn/openvpn-as docker run -d \ –name=openvpn-as –cap-add=NET_ADMIN \ -p 943:943 -p 4443:4443 -p 1194:1194/udp \ -v /root/openvpn-server:/openvpn \ openvpn/openvpn-as # Modify ports and hostname as appropriate
cd /root/openvpn-server/etc vim ./config-local.json
docker restart openvpn/openvpn-as # Get Temp password docker logs openvpn-as | grep -i “Auto-generated pass” # Scroll to find the line, Auto-generated pass = “[password]”. Setting in db..

Configure your OpenVPN services

# Use the generated password sign in to the Admin Web UI. # username: openvpn https://[my_hostname_or_pubip].com:943/admin/ # Check the hostname setting.. put in yourhostname… https://[my_hostname_or_pubip]:943/admin/network_settings # Stop the VPN services and start to ensure changes loaded and persistent: https://[my_hostname_or_pubip]:943/admin/status_overview # Create a user and a new Token Url for the user to import the profile

Windows Client set up

# Install with winget: winget install -e –id OpenVPNTechnologies.OpenVPNConnect # Once installed, get the token which will be something like: openvpn://https://[my_hostname_or_pubip]:043/ConnectClient/[token].ovpn # Put in browser and should open up the OpenVPN client and import the profile, and connect

Checkout your traffic routing

Categories
Random

Writing ‘modern’ PowerShell Modules [2024]

Context

PowerShell was… initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET (previously .NET Core). PowerShell – Wikipedia

As Microsoft is no longer updating Windows PowerShell with new features it makes sense to use the procedure for ‘Developing modern modules‘ which are (hopefully) portable to any OS running PowerShell.

If creating a new module, the recommendation is to use the .NET CLI.

Create module from ‘Standard Template’

# Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ > # Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ ## Requires NuGet source enabled > dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org > dotnet new install Microsoft.PowerShell.Standard.Module.Template # Create a new module project > mkdir myPSModule; cd .\myPSModule > dotnet new ps5module

Categories
Random

Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Azure Secure Admin Workstation posts:


Context and References

Troubleshooting and Errors

  • After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

  • Likely related to the AVD VM’s ability to talk to required Entra endpoints
    • An easy way to validate this is to add a temporary allow all outbound TLS
Categories
ITOps Random

Mounting CloudShell Persistence Storage locally

Context

  • CloudShell is very handy for working with Azure and M365, it removes the issues of PowerShell versioning/modules/authentication and is hosted within you Azure infrastructure boundary, providing some mitigation to privileged access and administrator device risks.
  • When implementing an Azure Virtual Secure Administration Workstation solution I ended up wasting a bunch of time editing files via the Azure CloudShell instead of locally, this resulted in silly typos (due to lack of syntax highlights, error correction and all the other goodness of an IDE like Visual Studio Code.
  • To solve this issue I want to mount my CloudShell persistent storage locally, enabling me to edit files locally and immediately test in CloudShell, without pushing/pulling and inevitable conflicts between local and remote.
  • Turns out that this is much easier than expected using

References

Procedure

  1. Install the Azure Account and Azure Storage extensions for VSCode:
  2. Sign in with the extension in VScode:
    • CTRL+SHIFT+P > Azure: Sign in
      • Opens browser AuthFlow
  3. Open Azure Cloud Shell (PowerShell) in VSCode Terminal:
    • CTRL+SHIFT+P > Terminal: Create New Terminal (With Profile)
      • If you don’t have NodeJS installed the extension will ask you to install (providing button to click..) the link the extension provided was to an older version of NodeJS and not latest… suggest just using: Node.js (nodejs.org)
  1. Mount your CloudDrive share locally
    • I had some issues doing this with VScode following: How to Use Cloud Shell in Visual Studio Code
    • Instead I am just using the Azure Extensions Resource Explorer (SHIFT+ALT+A), navigating to the fileshare and selecting files (which opens them in VScode local window)
    • NOTE: The CloudDrive is not your enitire CloudShell homedir, its ~/clouddrive
Categories
Random

Excel report with all ECR vulnerabilities

  • Testing and gaining familiarity with PowerShell!
Categories
ITOps Random

Unable to delete Azure Firewall?

TLDR: Fix it

  • If you have removed/deleted a Firewall policy or attachment to the Azure Firewall – re-attach it, or create the policy/attachment with the same name (you will see the name in the CLI output as detailed below).
  • Once you have re-attached, re-created (just empty policy with same name) you can then delete the Firewall (recommended using Azure Cloud PowerShell) with command:
    • Obviously updating -Name and -ResourceGroup parameters.
Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup" -Force

Remove-AzFirewall: Long running operation failed with status ‘Failed’

The Azure UI does not give must detail regarding error messaged
$ Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup"
...
Remove-AzFirewall: Long running operation failed with status 'Failed'. Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'
StatusCode: 200
ReasonPhrase: OK
Status: Failed
ErrorCode: ResourceNotFound
ErrorMessage: The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

Once attempting to delete via CLI I actually got a meaningful error message:

Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found.

That resource had already been deleted… so, re-recreate (just and empty policy) with same name… attached it, then I could delete.

Categories
Random

Eramba bulk reviews with SQL queries

We utilise the open GRC source tool, Eramba; some instances of which are the community edition which does not have an API interface. In some scenarios it is desirable make bulk updates/completions of reviews (and potentially update status of audits).

Doing this is slightly less trivial than expected… steps are:

  • Generate a list of review ids and foreign keys (maps review objects to model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk]
  • Update the relevant review objects with completion date, comments, completed status
  • Create new reviews entries for next cycle
  • Update the model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk] to reference the new, next review date
  • Update the object status mapping for the updated reviews (expired and current statuses in this case)
  • Validate your updated via the web interface
    • No clearing of cache of waiting for jobs is required
-- Generate a list of review ids and foreign keys (in this case the foreign keys are for the associated Assets being reviewed):

SELECT CONCAT_WS(',',Model,id,foreign_key) from reviews where planned_date = '2022-04-19' and model = 'Asset';

-- Update the relevant review objects as desired:

update reviews set actual_date = '2022-04-20',user_id = 2, description = 'No changes to store [components, customer, deployment etc, all same] added to ISMF Agenda ', completed = 1, modified = now(), edited = now()  where id in (select id from reviews where planned_date = '2022-04-19' and model = 'Asset');

-- Create new reviews (this is usually done by the app when completing the review via the web interface, review objects need a Model [Asset, SecurityPolicy, ThirdPartyRisk, Risk] (other models have audits):

INSERT INTO 
	reviews(model, foreign_key, planned_date, completed, created, modified, deleted)
VALUES
('Asset',115,'2023-04-19',0,now(),now(),0),
('Asset',116,'2023-04-19',0,now(),now(),0),
...;

-- Update the Asset object to reference the new, next review date (get asset ID from query used to get review id + foreign_key)
update asset set review = '2023-04-19', expired_reviews = 0 where id in (select foreign_key from reviews where planned_date = '2022-04-19' and model =  'Asset');

-- Eramba has object statuses, the list of available statuses is defined in the object_status_statuses table; the mapping of objects to statuses is in the table: object_status_object_statuses
-- Note there will be better, safer queries to do this..:

-- Check the results select query so we know what we are updating
select * from object_status_object_statuses where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired';

-- Update the object status mappings for relevant items, in this case there are two statuses that need to be updated, the expired status (now should be 0_ and the current status (now should be 1)

update object_status_object_statuses set status = 0 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired');

update object_status_object_statuses set status = 1 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'current_review');

Categories
Random

Getting Started with Concepts App

I regularly like to make rough diagrams/plans by drawing on paper. As I have an iPad Pro with a stylus sitting next to me I have often thought there would be some benefits to being able to use a sketching diagram to:

  • Stop losing/damaging paper sketches
  • Easily undo mistakes
  • Leverage things like copy and paste
  • Infinite canvas
  • Ability to zoom in and out

To this end I am trying: Concepts App • Infinite, Flexible Sketching

Starting with a SkillShare course Draw with Concepts app: Basic Digital Illustration for Beginners

SkillShare – Course

  • Vector based app (infinite canvas + no pixilation)
  • User interface
    • Supports pressure sensitive stylus + palm rejection
    • Projects -> Files
    • Top right tools, customizable change tools
      • Line thickness, Opacity, Smoothness (0 for pen tip)
      • Color palette (make your own palette)
      • Layers pallet (automatic will separate layers by tool, recommended)
        1. Coloring with pencil, drawing with pen easy with auto layers
        2. Duplicate layers, transparency, visibility etc.
      • Tools + Brushes
        • Can buy new via pro
      • Precision palette
        • Grid, Snap, Measure, Guide
      • Gestures
        • 2 finger tap – undo
  • Workflow
    • Ran through a demo, drawing an images from a picture
      • Changing tools/brushes
      • Hold push + item select/select all layers

Other resources

Categories
ITOps Random

Eramba Community 2019 in Docker (docker-compose)

Eramba is an excellent open source Governance Risk and Compliance tool. Recently (10-SEP-2019), a new major release of the community version came out. Previously I used https://github.com/digitorus/eramba which was based on https://hub.docker.com/r/k0st/alpine-eramba/ to start eramba instances quickly with docker and docker-compose.

As I could not find an updated version of these for the new release I have made one. The repo for this, 2019 community version (specifically c2.4.1) can be found here: https://github.com/markz0r/eramba-community-docker

Follow the steps in README.md and you should be testing the new eramba in no time.

Mar, 2020: Updated for community edition 2.8.1

Thanks to the team at Eramba for making the tool available for all!

Categories
Random

Performance Benchmarks on CentOS 7 Linux

In a scenario where a VM is moved to different underlying hardware, it is generally a good idea to validate CPU, memory, disk IO and network.

CPU Benchmark

sysbench cpu --cpu-max-prime=20000 run

sysbench threads --num-threads=10 --thread-yields=0 --max-requests=100000000 --thread-locks=1 run

Memory Benchmark

sysbench memory --memory-block-size=1M --memory-total-size=100G run
sysbench memory --memory-total-size=10G run

File IO

sysbench fileio --file-total-size=5G prepare; sysbench fileio --file-total-size=5G --file-test-mode=rndrw --time=300 --max-requests=0 run
# Clean up
sysbench fileio --file-total-size=5G cleanup

Network latency, upload and download

wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py; ./speedtest.py; rm -f ./speedtest.py