Category: Random

ITOps Random

OpenVPN – Docker Quick Start

Post author By mark
Post date June 26, 2024
No Comments on OpenVPN – Docker Quick Start

Quick and easy VPN setup using OpenVPN Docker image, on Amazon Linux 2023.

References

Installation steps

Install docker on amazon linux 2023

dnf update -y dnf install docker -y systemctl enable docker systemctl start docker

OpenVPN Access Server Docker Image

# see: https://openvpn.net/as-docs/docker.html#run-the-docker-container docker pull openvpn/openvpn-as docker run -d \ –name=openvpn-as –cap-add=NET_ADMIN \ -p 943:943 -p 4443:4443 -p 1194:1194/udp \ -v /root/openvpn-server:/openvpn \ openvpn/openvpn-as # Modify ports and hostname as appropriate
cd /root/openvpn-server/etc vim ./config-local.json
docker restart openvpn/openvpn-as # Get Temp password docker logs openvpn-as | grep -i “Auto-generated pass” # Scroll to find the line, Auto-generated pass = “[password]”. Setting in db..

Configure your OpenVPN services

# Use the generated password sign in to the Admin Web UI. # username: openvpn https://[my_hostname_or_pubip].com:943/admin/ # Check the hostname setting.. put in yourhostname… https://[my_hostname_or_pubip]:943/admin/network_settings # Stop the VPN services and start to ensure changes loaded and persistent: https://[my_hostname_or_pubip]:943/admin/status_overview # Create a user and a new Token Url for the user to import the profile

Windows Client set up

# Install with winget: winget install -e –id OpenVPNTechnologies.OpenVPNConnect # Once installed, get the token which will be something like: openvpn://https://[my_hostname_or_pubip]:043/ConnectClient/[token].ovpn # Put in browser and should open up the OpenVPN client and import the profile, and connect

Checkout your traffic routing

Random

Writing ‘modern’ PowerShell Modules [2024]

Post author By mark
Post date May 8, 2024
No Comments on Writing ‘modern’ PowerShell Modules [2024]

Context

PowerShell was… initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET (previously .NET Core). PowerShell – Wikipedia

Differences between Windows PowerShell 5.1 and PowerShell 7.x – PowerShell | Microsoft Learn
- What is PowerShell? – PowerShell | Microsoft Learn
  - PowerShell Support Lifecycle – PowerShell | Microsoft Learn
- What is Windows PowerShell? – PowerShell | Microsoft Learn
  - The latest version is Windows PowerShell 5.1. Microsoft is no longer updating Windows PowerShell with new features. Support for Windows PowerShell is tied to the version of Windows you are using.

As Microsoft is no longer updating Windows PowerShell with new features it makes sense to use the procedure for ‘Developing modern modules‘ which are (hopefully) portable to any OS running PowerShell.

If creating a new module, the recommendation is to use the .NET CLI.

Create module from ‘Standard Template’

# Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ > # Install .NET SDK > winget install Microsoft.DotNet.SDK.8 Found Microsoft .NET SDK 8.0 [Microsoft.DotNet.SDK.8] Version 8.0.204 … Successfully installed # Install a ‘template library to generate a simple PowerShell module’ ## Requires NuGet source enabled > dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org > dotnet new install Microsoft.PowerShell.Standard.Module.Template # Create a new module project > mkdir myPSModule; cd .\myPSModule > dotnet new ps5module

Random

Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Post author By mark
Post date November 18, 2023
2 Comments on Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Azure Secure Admin Workstation posts:

Part 1 – VDI Environment
- Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
Part 2 – Firewalls and VNets
- Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
Part 3 – Session hosts and access
- Adding our SAW VM to the HostPool, connecting and authenticating
Part 4 – Configuring Entra SSO
- Solving authentication and session establishment issues
- Getting Entra SSO working!
Public GitHub project:
- zoak-solutions/AzureVirtualSAW (github.com)

Context and References

After deploying a session host, was able to connect with the local administrator created with the VM, but not the Entra users in the group created.
Got things working after reading these docs and applying the following:
- Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn
- Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication – Azure | Microsoft Learn

Troubleshooting and Errors

After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

Likely related to the AVD VM’s ability to talk to required Entra endpoints
- An easy way to validate this is to add a temporary allow all outbound TLS

ITOps Random

Mounting CloudShell Persistence Storage locally

Post author By mark
Post date November 9, 2023
No Comments on Mounting CloudShell Persistence Storage locally

Context

CloudShell is very handy for working with Azure and M365, it removes the issues of PowerShell versioning/modules/authentication and is hosted within you Azure infrastructure boundary, providing some mitigation to privileged access and administrator device risks.
When implementing an Azure Virtual Secure Administration Workstation solution I ended up wasting a bunch of time editing files via the Azure CloudShell instead of locally, this resulted in silly typos (due to lack of syntax highlights, error correction and all the other goodness of an IDE like Visual Studio Code.
To solve this issue I want to mount my CloudShell persistent storage locally, enabling me to edit files locally and immediately test in CloudShell, without pushing/pulling and inevitable conflicts between local and remote.
Turns out that this is much easier than expected using
- VSCode Extension: Azure Account – Visual Studio Marketplace

References

Procedure

Install the Azure Account and Azure Storage extensions for VSCode:
- Azure Account – Visual Studio Marketplace
- Azure Storage – Visual Studio Marketplace
Sign in with the extension in VScode:
- CTRL+SHIFT+P > Azure: Sign in
  - Opens browser AuthFlow
Open Azure Cloud Shell (PowerShell) in VSCode Terminal:
- CTRL+SHIFT+P > Terminal: Create New Terminal (With Profile)
  - If you don’t have NodeJS installed the extension will ask you to install (providing button to click..) the link the extension provided was to an older version of NodeJS and not latest… suggest just using: Node.js (nodejs.org)

Mount your CloudDrive share locally

I had some issues doing this with VScode following: How to Use Cloud Shell in Visual Studio Code
Instead I am just using the Azure Extensions Resource Explorer (SHIFT+ALT+A), navigating to the fileshare and selecting files (which opens them in VScode local window)
NOTE: The CloudDrive is not your enitire CloudShell homedir, its ~/clouddrive

Tags azure

Random

Excel report with all ECR vulnerabilities

Post author By mark
Post date October 8, 2023
No Comments on Excel report with all ECR vulnerabilities

Testing and gaining familiarity with PowerShell!

ITOps Random

Unable to delete Azure Firewall?

Post author By mark
Post date June 29, 2023
No Comments on Unable to delete Azure Firewall?

TLDR: Fix it

If you have removed/deleted a Firewall policy or attachment to the Azure Firewall – re-attach it, or create the policy/attachment with the same name (you will see the name in the CLI output as detailed below).
Once you have re-attached, re-created (just empty policy with same name) you can then delete the Firewall (recommended using Azure Cloud PowerShell) with command:
- Obviously updating -Name and -ResourceGroup parameters.

Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup" -Force

Remove-AzFirewall: Long running operation failed with status ‘Failed’

The Azure UI does not give must detail regarding error messaged

$ Remove-AzFirewall -Name "ZOAK-SecureGateway-Firewall" -ResourceGroupName "ZOAK-SecureAccessGateway-ResourceGroup"

...
Remove-AzFirewall: Long running operation failed with status 'Failed'. Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'
StatusCode: 200
ReasonPhrase: OK
Status: Failed
ErrorCode: ResourceNotFound
ErrorMessage: The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

Was creating a test environment implementing Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn.
Went to apply RDS-Templates/AzureFirewallPolicyForAVD at master · Azure/RDS-Templates · GitHub to enable the Virtual Desktop hosts to talk to MS endpoints… which failed because the Azure firewall SKU I chose when initiatlly deploying was of type: ‘basic’
I tried changing the SKU but didn’t read: Azure Firewall easy upgrade/downgrade | Microsoft Learn…. which states:
- This new upgrade/downgrade capability doesn’t currently support the Azure Firewall Basic SKU (why have the ‘Change SKU’ button then??)
So… when to delete the firewall… which seemed to hang (was only looking via the UI).
- Went to use CLI from my workstation… and ran into SSL error when trying to authenticate with MFA (which I couldn’t work around quickly….) so used the Azure Cloud PowerShell which I would recommend for anyone getting frustrated (or blocked by workstation restrictions) with local PowerShell – you can upload scripts and inputs simply and there are no issue with auth, modules, versions, dependencies, etc.

Once attempting to delete via CLI I actually got a meaningful error message:

Additional Info:'The Resource 'Microsoft.Network/firewallPolicies/ZOAK-SecureGateway-Firewall-BasicPolicy' under resource group 'ZOAK-SecureAccessGateway-ResourceGroup' was not found.

That resource had already been deleted… so, re-recreate (just and empty policy) with same name… attached it, then I could delete.

Tags Azure Firewall unable to delete

Random

Eramba bulk reviews with SQL queries

Post author By mark
Post date April 21, 2022
No Comments on Eramba bulk reviews with SQL queries

We utilise the open GRC source tool, Eramba; some instances of which are the community edition which does not have an API interface. In some scenarios it is desirable make bulk updates/completions of reviews (and potentially update status of audits).

Doing this is slightly less trivial than expected… steps are:

Generate a list of review ids and foreign keys (maps review objects to model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk]
Update the relevant review objects with completion date, comments, completed status
Create new reviews entries for next cycle
Update the model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk] to reference the new, next review date
Update the object status mapping for the updated reviews (expired and current statuses in this case)
Validate your updated via the web interface
- No clearing of cache of waiting for jobs is required

-- Generate a list of review ids and foreign keys (in this case the foreign keys are for the associated Assets being reviewed):

SELECT CONCAT_WS(',',Model,id,foreign_key) from reviews where planned_date = '2022-04-19' and model = 'Asset';

-- Update the relevant review objects as desired:

update reviews set actual_date = '2022-04-20',user_id = 2, description = 'No changes to store [components, customer, deployment etc, all same] added to ISMF Agenda ', completed = 1, modified = now(), edited = now()  where id in (select id from reviews where planned_date = '2022-04-19' and model = 'Asset');

-- Create new reviews (this is usually done by the app when completing the review via the web interface, review objects need a Model [Asset, SecurityPolicy, ThirdPartyRisk, Risk] (other models have audits):

INSERT INTO 
	reviews(model, foreign_key, planned_date, completed, created, modified, deleted)
VALUES
('Asset',115,'2023-04-19',0,now(),now(),0),
('Asset',116,'2023-04-19',0,now(),now(),0),
...;

-- Update the Asset object to reference the new, next review date (get asset ID from query used to get review id + foreign_key)
update asset set review = '2023-04-19', expired_reviews = 0 where id in (select foreign_key from reviews where planned_date = '2022-04-19' and model =  'Asset');

-- Eramba has object statuses, the list of available statuses is defined in the object_status_statuses table; the mapping of objects to statuses is in the table: object_status_object_statuses
-- Note there will be better, safer queries to do this..:

-- Check the results select query so we know what we are updating
select * from object_status_object_statuses where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired';

-- Update the object status mappings for relevant items, in this case there are two statuses that need to be updated, the expired status (now should be 0_ and the current status (now should be 1)

update object_status_object_statuses set status = 0 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired');

update object_status_object_statuses set status = 1 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'current_review');

Random

Getting Started with Concepts App

Post author By mark
Post date January 21, 2022
No Comments on Getting Started with Concepts App

I regularly like to make rough diagrams/plans by drawing on paper. As I have an iPad Pro with a stylus sitting next to me I have often thought there would be some benefits to being able to use a sketching diagram to:

Stop losing/damaging paper sketches
Easily undo mistakes
Leverage things like copy and paste
Infinite canvas
Ability to zoom in and out

To this end I am trying: Concepts App • Infinite, Flexible Sketching

Starting with a SkillShare course Draw with Concepts app: Basic Digital Illustration for Beginners

SkillShare – Course

Vector based app (infinite canvas + no pixilation)
User interface
- Supports pressure sensitive stylus + palm rejection
- Projects -> Files
- Top right tools, customizable change tools
  - Line thickness, Opacity, Smoothness (0 for pen tip)
  - Color palette (make your own palette)
  - Layers pallet (automatic will separate layers by tool, recommended)
    1. Coloring with pencil, drawing with pen easy with auto layers
    2. Duplicate layers, transparency, visibility etc.
  - Tools + Brushes
    - Can buy new via pro
  - Precision palette
    - Grid, Snap, Measure, Guide
  - Gestures
    - 2 finger tap – undo
Workflow
- Ran through a demo, drawing an images from a picture
  - Changing tools/brushes
  - Hold push + item select/select all layers

Other resources

Concept app tutorials

ITOps Random

Eramba Community 2019 in Docker (docker-compose)

Post author By mark
Post date September 15, 2019
2 Comments on Eramba Community 2019 in Docker (docker-compose)

Eramba is an excellent open source Governance Risk and Compliance tool. Recently (10-SEP-2019), a new major release of the community version came out. Previously I used https://github.com/digitorus/eramba which was based on https://hub.docker.com/r/k0st/alpine-eramba/ to start eramba instances quickly with docker and docker-compose.

As I could not find an updated version of these for the new release I have made one. The repo for this, 2019 community version (specifically c2.4.1) can be found here: https://github.com/markz0r/eramba-community-docker

Follow the steps in README.md and you should be testing the new eramba in no time.

Mar, 2020: Updated for community edition 2.8.1

Thanks to the team at Eramba for making the tool available for all!

Tags docker, docker-compose, eramba, eramba 2019, grc, open source grc

Random

Performance Benchmarks on CentOS 7 Linux

Post author By mark
Post date May 3, 2019
No Comments on Performance Benchmarks on CentOS 7 Linux

In a scenario where a VM is moved to different underlying hardware, it is generally a good idea to validate CPU, memory, disk IO and network.

CPU Benchmark

sysbench cpu --cpu-max-prime=20000 run

sysbench threads --num-threads=10 --thread-yields=0 --max-requests=100000000 --thread-locks=1 run

Memory Benchmark

sysbench memory --memory-block-size=1M --memory-total-size=100G run
sysbench memory --memory-total-size=10G run

File IO

sysbench fileio --file-total-size=5G prepare; sysbench fileio --file-total-size=5G --file-test-mode=rndrw --time=300 --max-requests=0 run
# Clean up
sysbench fileio --file-total-size=5G cleanup

Network latency, upload and download

wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py; ./speedtest.py; rm -f ./speedtest.py