Best posts made by stacksofplates

Does it need to be a label or are you just using the label as metadata? If it's just metadata something like paperless might work.

@scottalanmiller said in NG AV / Endpoint Protection in 2021:

@travisdh1 said in NG AV / Endpoint Protection in 2021:

I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.

Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.

Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.

@obsolesce said in NG AV / Endpoint Protection in 2021:

@hobbit666 said in NG AV / Endpoint Protection in 2021:

So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)

What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.

It's not just about having an anti-virus software updated to the latest definitions. I would say definition based malware threats are pretty much the basic 1-9% of the whole picture. This is where the solutions such as some CrowdStrike products and Microsoft 365 Defender come into play to cover the ~90% of the whole picture.

https://www.amazon.com/UNIDOPRO-Socket-Tapping-Bottle-Bracket/dp/B07G3XS4W8

Thanks for the bolt recommendation.

@irj said in Greenfield Kubernetes Architecture and Security:

Let's say your organization has 50-100 different applications running on kubernetes. Historically each cluster runs one application.

You have the ability to greenfield and re-architect how everything is built.

1. Would you keep one cluster per application and use network policies to control data flow?

2. Would you break up clusters similar to how you'd separate a 3 or 4 tier web app? One of the advantages to this approach is perhaps you can keep DevOps engineers from accessing database clusters at all. The disadvantage of course being complexity on the network side.

3. Would you create a few kubernetes clusters and separate applications by namespace and use network policies to filter traffic?

Note : For sake of discussion Kubernetes will be hosted on major CSP (AWS, Azure, or GCP) so no need to worry about hardware requirements for this topic.

1 will get really expensive and complicated really fast.

2 is complicated in networking, but less complicated in that you need less rolebindings (also more expensive).

3 makes the most sense but adds complexity with SAs and rolebindings. Let the namespaces be the logical separation. Use a mesh like Istio/Kuma for mTLS. If you pay for Kuma you get OPA integration in the sidecar with a CRD for the policy, if you use Istio you still get OPA but I believe it's a configmap that you need to load into a central OPA I can't remember. This way you can define policy for each app but your app doesn't need to understand how authentication mechanisms work.

I'd recommend Rancher for an easier RBAC solution and more logical separation of projects on top of namespaces.

Here's an example of a rego policy for OPA:

package envoy.authz
import input.attributes.request.http as http_request

default allow = false

token() = claimInfo{
    token := split(http_request.headers.authorization, " ")
    claims := io.jwt.decode(token[1])
    claimInfo := claims[1]

checkRecord() = http.send({
    "url": sprintf("http://localhost:8080%s", [http_request.path]),
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})

allow {
    requester_is_owner
}

allow {
    method_is_post
}

method_is_post {
    http_request.method == "POST"
}

requester_is_owner {
    getRequest.body.username == tokenData.sub
}

The awesome thing about this is your app doesn't need to understand roles, users, etc. OPA requests a record from this app takes the JWT in the request and compares the owner of the record stored at username to the sub in the token. If they don't match you get a 403, if they do match it will return the record for you. The app just needs to return the record and doesn't care about auth.

You can also use OPA as a K8s admission controller to verify that resources have correct annotations, labels, policies, etc. It's a really awesome tool.

@irj said in Greenfield Kubernetes Architecture and Security:

Also another related question, would you even use kubernetes for databases or would be better to use a hosted service like RDS?

it depends. It's valid either way. However, things like dynamodb can get stupid expensive really quickly, so it's valuable to run those in cluster and just pay for the PVCs used.

So you can also run serverless on K8s. It helps alleviate some of the vendor lock in issues, but doesn't necessarily alleviate cold starts. OpenFaaS and Kubeless are two popular serverless frameworks for K8s. They both allow custom runtimes/templates so you aren't beholdant to a specific vendors security when deploying your apps.

@dustinb3403 said in DNS Filtering Service:

@voip_n00b said in DNS Filtering Service:

Anyone have a recommendation? Been looking at a bunch of them - looking for some first hand experience. Im looking for a hosted service not a pihole, or something like that.

A hosted service that isn't pihole.... then what is PiHole?

A self hosted application. Idk what you are trying to say here.

@scottalanmiller said in DNS Filtering Service:

Gateway is a "VPN Replacement". It moves where your traffic goes. It's a huge service doing dramatic stuff. If someone wanted a VPN / Proxy system + DNS Filtering, you'd have to request that. That's 90% stuff that isn't related to DNS. Definitely not at all what the OP was asking about. The stuff that they compared to, like PiHole, is nothing like that whatsoever.

Can you give a link to the Cloudflare service you are talking about? Maybe that will clear things up here.

@scottalanmiller said in DNS Filtering Service:

but the OP isn't looking for that.

Not sure why this is assumed. I took it to mean they wanted similar features of a pihole which include adding specific filters and reports.

@VoIP_n00b

What services have you investigated? The requirements here are pretty bare.

@dustinb3403 said in RMM Service:

@irj said in RMM Service:

@notverypunny said in RMM Service:

I'd like to have more granular permissions options (like allowing users access to workstations but blocked on servers) but it's not a deal-breaker.

You aren't using a segmented network with firewall rules blocking incoming ports like RDP and SSH?

How does segmented networking affect the user permissions within Tactical. I get how it would segment the devices, but that does nothing for the RMM side. IE different teams of people to manage different equipment or resources.

He's saying if you segmented the network you wouldn't need to worry about those controls in the RMM at all.

@pete-s said in Does a script imply Automation?:

For instance a motor in a car runs by itself. But that doesn't make the car automated. Because the control of the car is not automated

Except that is automated compared to where it initially started. It's very automated in the sense that I don't have to get out and crank start my car or fill it with oil after every trip because it's assumed my oil will just leak out of my engine like they did when they first arrived.

You're proving my point. Automation changes over time. What we count as automated today will just be something we take for granted tomorrow. Which is why I used the example of lower level concepts. Those used to be manual things, and are now "automated" because we don't even think about them. But we don't really call that automation.

A script that echoes "hello world" is not automation but is a script.

In my mind for it to count as automation, the work the script does has to be less than equal to the amount of work it would take to do the task manually (with the caveat that the work is useful). This would incorporate tying larger initiatives together.

And we are back to what most of the discussions are on this site, it's opinion. The person talking to Gene clearly didn't think whatever the script was counted as automation. He's fully in his right to think that because a lot will agree with him.

I'm more interested to know what the script did or is going to do and we could determine whether it should be counted as automation.

@gjacobse said in Does a script imply Automation?:

The biggest one they are fighting me on script wise is Onboarding - creating a user, assigning a O365 license, entering in the REQUIRED information for the EMR to work, setting the Manager, address, adding the needed Security groups for VPN, Teams, MFA, and so on. And of course, there is Offboarding that could be done as well...

What reasons are cited when they fight you on this? This should have been scripted years ago. If it's because they are working on implementing something like kace or some automation tool to do it, that's one thing but if they are just saying it has to be manual that's another.

@irj said in Does a script imply Automation?:

@gjacobse said in Does a script imply Automation?:

• Save key to text file with the file name of the computer name, saving to network share.

Saving the key to a text file on a mapped share is really bad lol.

Yeah especially since it's been mentioned this is an environment with higher security and PHI/PII. Mapped drives shouldn't even be a thing.

@rojoloco said in RojoLoco needs your Linux brains!!!:

Thanks to everyone for the great replies. I just got confirmation from Dell that I need to go with the server version. So it's looking like CentOS 8 Stream / Docker CE / Docker compose will be the setup. Stand by, there will probably be more noob questions coming soon.

Yeah wow that's gross that they force those specifically. Maybe Dell should catch up with everything that's going on in the world.

The enterprises that don't use KVM with their own APIs/emulator (or run fully cloud) run VMware for the APIs. The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

@scottalanmiller said in KVM or VMWare:

There's no shortage of KVM talent, so anyone telling you that they can't hire is actually telling you that they are so bad at searching that they can't function as a business or they are so bad to work for that no amount of money can fix it.

This simply isn't true. No one in the enterprise space runs qemu/libvirt. They've developed their own APIs (gvisor, firecracker, etc).

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@irj said in KVM or VMWare:

@irj said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

Exactly. Stuff isn't done manually anymore.

It's not even that about manual process. It's about being able audit, and have a repeatable process.

Auditing in KVM is pretty much not there lol.

Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?

All of the above.