Meetups/Infra/2024-11-18

From Noisebridge
Jump to navigation Jump to search
Noisebridge | About | Visit | 272 | Manual | Contact | Guilds | Resources | Events | Projects | WGs | 5MoF | Meetings | Donate V · T · E
Events | Hosting | Streaming | Meetup | Upcoming Events | Anniversaries | Hackathons | External Events V · T · E
Meetups / Infra | Template V · T · E

Talk of security, auditing, and Noisebridge infrastructure. Some spooky stories, a bit late for october.


Introductions[edit | edit source]

  • [name] - [background]. [goals for meetup, or interests to explore]
  • Loren -- welcome, let's build some infra, for NB, for ourselves, for companies, for friends, for communities. For our enemies.
  • Greg -- programmer, here to talk about infrastructure. It's very boring, but that's what I'm here for.
  • Kevin -- infrastructure-holic. Been in the program a few months now, we all rely on cloud-based infrastructure. Every time we unlock our phones, check email, log in to a site. I need the help of a higher power! Richard M Stallman, I pray to thee. Miracles? Political project.
  • Kevin -- system administrator, I do homelab stuff at home. Self-hosting.
  • Sameer -- full-stack dev, trying to get back into infra work.


Lesson or Demo[edit | edit source]

  • Read aloud: clarify for meetup. We are taking notes in a riseup pad (or I am--help appreciated, and links). We have meeting notes posted to the wiki. noisebridge.net, search Infra, or Meetups/Infra. (the Infrastructure page has a disambiguation link.)
  • Shell, web services, self-hosting, networking!

Steno(graphy) - https://github.com/openstenoproject/plover

Security audit things.

  • Greg - have used `lynis`.
  • Have found a security problem in a library. Not been about to report it
  • Kevin - have done government and ISO audits.

If you have the document. You have top level policies. There are many ways to implement, but they're checking that you can confirm you're doing this. E.g. 30 day password rotation.

Haven't done healthcare, HIPPA or others.

Seen PCI one -- are you doing these things in a reasonable manner.

Government pull from existing standards, sometimes change them, sometimes seemingly just to change them. Increases with classification level, Government, esp DOD, do a better job of seeking thorough assurance of correct implementation of the audit standard.

Easy audit standards:

  • accounting for all of what you have. That you haven't lost them. Including scanning every month. Someone needs to check at intervals, and someone else needs to perform the check too.
    • NetBox, networking source of truth.
    • SnipeIT, basic database.

(often don't specify how, but it helps to prove you know where it is)

    • Wolf -- story of folder labelled shred, with 10 years of data.
    • Large part of compiance was 3rd party software. Asking vendor to explain how it works.
    • Red-teaming -- a few issue with api.
  • When do people ask for red-teaming audits? In this case, was done internally. Company had a particular NIH (not-invented here) syndrome.
  • Kevin -- worked for a small company, bould by a medium sized company, SF startup. Killed acquired product. Had large monolith, breaking it up into microservices. Monolith self-hosted in data centers. Microservices were hosted in AWS. Red-teaming was warned in advance, each microservice had wildly different: protocol, IAM, web security stanards. Told to comply with OWASP recommendations. Made a scanner, using boto3. Made a sheet. Product momentum was so much more important to them.
  • Infrastructure as code -- to define?
    • Terraform, CloudFormation, Pulumi? -- had 1 guy.
  • Ran into limits. AWS hadn't implemented certain things. Wanted security related to external domain name, securing for whole company domain. Normal outside AWS. Firewall, caching.
  • Work at Large Social Gaming Company. They had no security. You would ssh in as root. Can still read stories online.
    • True of many companies. Until security is forced by an external
  • Docker container -- required capabilities, SYS_CAP_ADMIN, PTRACE, mounting /proc or /sys

systemd in docker, required some reworking. GKE

https://github.com/gdraheim/docker-systemctl-replacement

First steps, securing[edit | edit source]

https://max.levch.in/post/724289457144070144/shamir-secret-sharing-its-3am-paul-the-head-of

"Awesome" Enterprise Security lists

Minial root of trust setup[edit | edit source]

What does an effective minimal root of trust setup look like?

  • Depends on threat model.
  • Mom: write down passwords and keep in a drawer. Other

On roots of trust, Same principle as you should be testing backups, you should testing restore. You should be testing.


Backups. Restic -- favorite of sameer. 3 things you would want: dedup, compressed, encrpyted. Few years of trust.

Moreso than bup.

Blockwise backups with Restic and rdiff-backup.net

Colin percival's tarsnap worthy of mention. Pico-dollar billing system. Scrypt.

Aegis authenticator app. https://getaegis.app/

Vault (hashicorp). Google test failure, on periodic secret check.

Infra minimal[edit | edit source]

If someone had development experience, but not infrastructure intutions. What are first pieces of advice. Pick a project, then learn all the things you need to for that project. Following this process, would give you more specific and concrete questions, and knowledge to serve as the basis for other projects, on your own or in service of others..

https://github.com/livialima/linuxupskillchallenge

Activities at infra meetup[edit | edit source]

Kevin -- let's talk about Brony & discourse.

We talk about these abstractly.

We talk about spinning up projects. We have a place to host projects easily.

https://www.noisebridge.net/wiki/Brony

Thin approach would be:

  • fire up docker
  • build it out


Could attempt K8s or other deployment descriptor systems.

Hearing about updates. Start a thread in #infra-meetup chat.


Prometheus.


https://pol.is/3dmuc7ndsn


Questions, Discussion, or Coworking[edit | edit source]

  • [Issue]

For next time[edit | edit source]

https://pol.is/3dmuc7ndsn

https://sadservers.com/


Questions[edit | edit source]

Readings & Exercises[edit | edit source]

  • Readings
  • Exercises

Join online[edit | edit source]

  • Try it yourself!
    • Join libera.chat #nb-meetup-infra

https://www.noisebridge.net/wiki/Meetups/Infra