security – Hackfi

Get IMEI number for Google find my device

Click on settings

PGP key GUI tool – Kleopatra

https://www.openpgp.org/software/kleopatra/

dnf install kleopatra

Remove weak Ciphers SSL – nginx

GCM is preferred over CBC

Verify with cipher is being used?

nmap --script ssl-enum-ciphers -p 443 example.com

update nginx.conf

ssl_ciphers         HIGH:!aNULL:!MD5!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;

https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers

https://stackoverflow.com/questions/62900667/aws-alb-prevent-usage-of-tls-ecdhe-rsa-with-aes-128-cbc-sha256

AD integration with linux ssh login and sudo access

ad_join.sh

#!/bin/bash

#check if already joined to domain

if [[ $(realm list) != "" ]]
then
echo "This server is already joined to domain."
realm list | head -n 1
exit
fi

function update_sssd_config() {
    sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
    sed -i 's|/home/%u@%d|/home/%u|g' /etc/sssd/sssd.conf
    systemctl restart sssd
}

function restrict_ssh_access_group() {
    if [[ $(cat /etc/ssh/sshd_config | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/ssh/sshd_config
    echo "AllowGroups root ssh-access-group" >> /etc/ssh/sshd_config
    systemctl restart sshd
    fi
}

function sudo_access_level_group() {
    if [[ $(cat /etc/sudoers | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL1 = /usr/bin/ls, /usr/bin/cat " >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL2 = /usr/bin/vi, /usr/bin/nano " >> /etc/sudoers

    echo "%sudo-group-level1 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL1"  >> /etc/sudoers
    echo "%sudo-group-level2 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL2"  >> /etc/sudoers
    echo "%sudo-group-full-access ALL=(ALL) NOPASSWD: ALL"  >> /etc/sudoers
    fi
}

#check os 
if [[ $(cat /etc/os-release | egrep "centos|redhat|fedora|rhel|oracle|rocky") != "" ]]
then
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients  -y
realm join -vvv --user=administrator ad.example.com

#call function
update_sssd_config

restrict_ssh_access_group

sudo_access_level_group

fi

Jenkins AD integration and access management

First take the back up of /var/jenkins_home/config.xml or take a snapshot if it’s vm.

Method 1: (all user have same admin access)

Manage jenkins > Configure Global Security > Active Directory

Domain name : example.com
Domain Controller : ad.exmaple.com
Bind DN : [email protected]
Bind Password : <jenkins-svc-account password>

Note: You may need to apply the setting and then click on Test Domain.

Else it will give Error: simple bind failed: ad.example.com:389 error

Also Domain Name(example.com) should be resolved from jenkins host or entry should be in /etc/hosts

192.168.122.6 example.com

Method 2: Matrix-based security

Method3: Role based strategy(pending)

AD user and jenkins screenshot for reference

Check ldap port in powershell

tnc example.com -port 389

Test-NetConnection -ComputerName example.com -Port 389

Build haskell static binary with docker

Why?
– Reduce surface attack
– Reduce docker image size

hola.sh

{-# LANGUAGE OverloadedStrings #-}
import Web.Scotty

import Data.Monoid (mconcat)

main = scotty 3000 $
    get "/:word" $ do
        beam <- param "word"
        html $ mconcat ["<h1>Scotty, ", beam, " me up!</h1>"]

alpine.Dockerfile

FROM haskell:8 AS build
WORKDIR /opt
RUN cabal update
RUN cabal install --lib scotty
COPY hola.hs .
#RUN ghc --make -threaded hola.hs  -o hola
RUN ghc --make -threaded -optl-static -optl-pthread hola.hs -o hola

FROM alpine:3.15.0
RUN addgroup -S group1 && adduser -S user1 -G group1
USER user1
WORKDIR /opt
COPY --from=build /opt/hola .
EXPOSE 3000
CMD ["/opt/hola"]

capture TLS/HTTPS traffic via tcpdump

only TLS traffic

tcpdump -ni eth0 "(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"

TLS traffic with port

tcpdump -ni eth0 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"

TLS traffic with host ip

tcpdump -ni eth0 "tcp host 10.10.10.10 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"

Capture packets for wireshark

tcpdump -vvvv -A -i weave '((dst port 80) and (net 10.36.0.15))' -w app2.cap


sudo tcpdump -vvvv -A -i etho -w app2.cap

More : https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump

https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html

Openport using NC:

nc 8888

Listen port:

nc localhost 8888

Send packet using bash:

echo -n "hello" >/dev/tcp/localhost/8888

install openvas in centos8

sed -i 's/enforcing/disabled/g' /etc/selinux/config

reboot

dnf update

yum config-manager --set-enabled PowerTools
yum install epel-release

wget -q -O - http://www.atomicorp.com/installers/atomic |sh

yum install openvas

openvas-setup

More : https://github.com/Atomicorp/gvm

Cronjob to update CVE database

10 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
10 2 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
10 3 * * * /usr/sbin/greenbone-certdata-sync > /dev/null

Openvas API:


gvm-cli --gmp-username USRENAME --gmp-password PASSWORD socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_tasks/>"

gvm-cli socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_version/>"

Apply selinux rules to file

Selinux add one more layer of security on top of linux.

To add SSL directory as per selinux context.

ls -ltrZ

sestatus -b

chcon -h system_u:object_r:httpd_config_t:s0 ssl