Klaus

Measure Sitespeed

 Wed, 20 Jun 2018 17:41:42 +0200 
Wonderful tool(s)! The Docker image is 1,6GB big, but it does combine quite a lot of things and makes it very convenient to use. In contrast to other such performance tools sponsored by a big company, Sitespeed.io complains about GA and GTM usage. ;-)

#^Sitespeed.io - Welcome to the wonderful world of Web Performance
Image/photo
Sitespeed.io is a set of Open Source tools that makes it easy to monitor and measure the performance of your web site.

Measuring performance shouldn’t be hard: you should be able to have full control of your metrics, own your own data and you should be able to do it without paying top dollars.

That’s why we created sitespeed.io.


The TSDB is something I want add to our monitoring server.
Klaus

Administratoren zwischen Datenschutz und Informationssicherheit

 Bonn, GermanyWed, 13 Jun 2018 15:13:56 +0200 
#^Administratoren zwischen Datenschutz und Inform... » ADMIN-Magazin
Image/photo
Der Admin ist Pragmatiker: Systeme am Laufen halten, der Rest ergibt sich von selbst. Gleichzeitig ist er sich jedoch bewusst, dass es beim Umgang mit personenbezogenen Daten Grenzen gibt, über die der Datenschutzbeauftragte wacht. Dessen Ziele stehen jedoch oft im Widerspruch zur Sicherheit der Daten. Ein Konflikt, für den nicht selten der Rücken des Admins als Austragungsort herhalten muss.

Die Zielvorgaben von Informationssicherheitsbeauftragten (ISB) und Datenschutzbeauftragten (DSB) sind nicht immer kompatibel. Im operativen Tagesgeschäft soll der Administrator den Betrieb der IT sicherstellen, sieht sich aber hin und wieder widersprüchlichen Anforderungen dieser beiden Beauftragten ausgesetzt.


Der Gesetzgeber sieht vor, dass der Datenschutzbeauftragte keine Weisungsbefugnis hat. Deshalb liegt es an der Geschäftsführung zu regeln, wer die tatsächlich auszuführenden Maßnahmen zum Schutz der Datenverarbeitung vorgibt. Das kann der ISB oder die IT-Leitung sein. Denn dort liegen die organisatorischen Verantwortlichkeiten. Da die Fäden beim Administrator zusammenlaufen, hat er aus seiner Position die Möglichkeit, entsprechende Konflikte zwischen Datenschutz und Informationssicherheit zu erkennen und alle Beteiligten darauf aufmerksam zu machen.
Grundsätzlich gilt: Für die Informationssicherheit werden betriebliche Entscheidungen getroffen, in denen Risiko und Nutzen einander abgewogen werden. Beim Datenschutz gibt es konkrete gesetzliche Vorgaben. Innerhalb dieser Vorgaben ist der Spielraum für Entscheidungen weitaus geringer als in der Informationssicherheit. Im Zweifel stellt die eine Entscheidung aus Sicht des ISB nur ein wirtschaftlich kalkulierbares Risiko dar, aus Sicht des Datenschutzes möglicherweise einen Gesetzesverstoß, der eine Ordnungswidrigkeit darstellt.
Klaus

Safe Containers?

 Fri, 25 May 2018 18:34:03 +0200 
#^Safe Containers » ADMIN Magazine
Image/photo
By Martin Loschwitz
Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.
Container systems like Docker are a powerful tool for system administrators, but Docker poses some security issues you won't face with a conventional virtual machine (VM) environment. For example, containers have direct access to directories such as /proc, /dev, or /sys, which increases the risk of intrusion. This article offers some tips on how you can enhance the security of your Docker environment.
Klaus

Dovecot Mailarchiv

 Wed, 02 May 2018 19:13:45 +0200 
#^Mailquota-Management mit Dovecot
Ein ständig wachsender Datenbestand droht viele Mail-Infrastrukturen zu überfordern. Dabei gibt es zumindest für Dovecot einen Weg aus der Speicherfalle.

Für seine Nutzer gilt heute als selbstverständlich, dass das E-Mail-System durchgehend verfügbar ist und immer ausreichend Speicherkapazität zur Verfügung hat. Dennoch sind die Ressourcen natürlich endlich und kosten Geld. Daher kann ein schnell wachsender Datenbestand die Betriebssicherheit einer Mail-Infrastruktur durchaus gefährden. Das muss aber nicht sein.

#Dovecot #IMAP #Mailarchiv
Klaus

such complex functions in IDaaS services?

 Wed, 14 Mar 2018 18:17:35 +0100 
#notgotzot

#^IAM in the Cloud » ADMIN Magazine
Image/photo
Offers for identity management as a service (IDaaS) are entering the market and promising simplicity. However, many lack functionality, adaptability, and in-depth integration with existing systems. We look at how IT managers should consider IDaaS in their strategy.
Identity and access management (IAM) is a core IT discipline located between IT infrastructure, information security, and governance. For example, IAM tools help with the management of users and their access rights across systems and (cloud) services, to provide easy access to applications (preferably with a single sign-on experience), to handle strong authentication, and to protect shared user accounts.

#CIAM (Customer Identity and Access Management)
Klaus

Selenoid

 Thu, 18 Jan 2018 18:52:14 +0100 
I already had a dockerized Selenium-Grid but it was a good idea to replace it with Selenoid. The state of automation and the video recording feature are really impressive.

#^Selenoid
Selenoid is a powerful implementation of Selenium hub using Docker containers to launch browsers.

Lightweight and Lightning Fast
Suitable for personal usage and in big clusters:
* Consumes 10 times less memory than Java-based Selenium server under the same load
* Small 7 Mb binary with no external dependencies (no need to install Java)
* Browser consumption API working out of the box
* Ability to send browser logs to centralized log storage (e.g. to the ELK-stack)
* Fully isolated and reproducible environment



#^Scalable Selenium Cluster: Up & Running | Ivan Krutov
by seleniumconf on YouTube
Klaus

zu leichtfertig mit Zugangsdaten

 Thu, 09 Nov 2017 18:27:55 +0100 
#^Studie: DevOps-Teams gehen häufig leichtfertig mit Zugangsdaten um
Image/photo

In vielen Unternehmen mangelt es den DevOps-Abteilungen an Regeln für den sicheren Umgang mit privilegierten Accounts und Zugangsdaten – vielfach fehlt eine übergreifende Sicherheitsstrategie, wie CyberArks „Advanced Threat Landscape“-Report zeigt.
Klaus

SMTP relay

 Fri, 13 Oct 2017 18:26:36 +0200 
So you can not send eMails from an M$ Azure VM? You need a SMTP relay outside of Azure?
Luckily Exchange Online Protection is an ideal solution you can directly sign up for. ;-) At least they know how to squeeze out their victims.
Klaus

Icinga Director v1.4.0

 Tue, 10 Oct 2017 17:28:44 +0200 
#^Icinga Director v1.4.0 has been released
We tagged v1.3.2 more than two months ago and according our initial plans it should have been announced together with v1.4.0. However, sometimes things take longer than expected. But now it’s official: Director v1.4.0 is our shiny new release.
Klaus

by zombies

 Mon, 09 Oct 2017 18:18:42 +0200 
#^Eliminating the zombie vulnerability – removing passive voice from the docs
If you can insert the words “by zombies” into a sentence, then that sentence very likely uses the passive voice. A colleague recently reminded me of this tip. It made me laugh, and so I thought it’s worth blogging about. If only to share the chuckle.

Here are some examples of zombie-infested sentences, and their equivalents using active voice.

Example 1
Geographic requests are indicated by zombies through use of the coordinates parameter, indicating the specific locations passed by zombies as latitude/longitude values.

Converting passive voice to active:
You can use the coordinates parameter to indicate geographic requests, passing the specific locations as latitude/longitude values.

For an even more concise effect, use the imperative:
Use the coordinates parameter to indicate geographic requests, passing the specific locations as latitude/longitude values.


#documentation #technical writing
Klaus
 Mon, 02 Oct 2017 12:40:38 +0200 last edited: Mon, 02 Oct 2017 12:40:57 +0200  
#^Securing Network Time | Core Infrastructure Initiative
Image/photo
Date Published September 27, 2017
Since its inception the CII has considered network time, and implementations of the Network Time Protocol, to be “core infrastructure.” Correctly synchronising clocks is critical both to the smooth functioning of many services and to the effectiveness of numerous security protocols; as a result most computers run some sort of clock synchronization software and most of those computers implement either the Network Time Protocol (NTP, RFC 5905) or the closely related but slimmed down Simple Network Time Protocol (SNTP, RFC 4330).
Klaus

pipeline-examples

 Tue, 26 Sep 2017 17:27:08 +0200 
Nice collection of #Jenkins pipeline examples.

#^jenkinsci/pipeline-examples
Image/photo
pipeline-examples - A collection of examples, tips and tricks and snippets of scripting for the Jenkins Pipeline plugin
Klaus

Was gibt es Neues vom Icinga Director?

 Tue, 01 Aug 2017 16:53:10 +0200 
ziemlich viel und es macht richtig Spass!

#^Was gibt’s Neues vom Director?
Gleich zwei neue Releases stehen an, und während die v1.3.2 bereits vor einer Woche inoffiziell getagged wurde, werden bei der v1.4.0 gerade noch die letzten Kanten rund geschliffen. Wenn nichts dazwischen kommt werden dann Anfang nächster Woche beide gemeinsam offiziell angekündigt werden.

Einfachere Suche, flexiblere Tabellen
Template Choices
Schnelleres Arbeiten mit einzelnen Services
Autocompletion
Neue Dashboards und Dashlets
Vererbung ist alles
Berechtigungen
Genutzte Custom Variablen
VMware vSphere/ESXi Import
Klaus
 Fri, 28 Jul 2017 16:55:16 +0200 
#^Securing Docker » ADMIN Magazine
Image/photo
Docker containers introduce serious security problems, but you can employ a number of methods to deploy them securely.

Few debate that the destiny of a hosting infrastructure is running applications across multiple containers. Containers are a genuinely fantastic, highly performant technology ideal for deploying software updates to applications. Whether you're working in an enterprise with a number of critical microservices, tightly coupled with a pipeline that continuously deploys your latest software, or you're running a single LEMP (Linux, Nginx, MySQL, PHP) website that sometimes needs to scale up for busy periods, containers can provide with relative ease the software dependencies you need across all stages of your development life cycle.
Klaus

RDBMS containers

 Fri, 28 Jul 2017 13:04:28 +0200 last edited: Fri, 28 Jul 2017 16:55:45 +0200  
#^RDBMS Containers » ADMIN Magazine
Image/photo
If you spend very much of your time pushing containerized services from server to server, you might be asking yourself: Why not databases, as well? We describe the status quo for RDBMS containers.
Klaus

Orpheus' Lyre

 Thu, 13 Jul 2017 16:11:58 +0200 
Was debugging some #Kerberos error messages in M$ Active Directory this morning. What a nice coincidence to find Orpheus' Lyre website just now.

#^Orpheus' Lyre
Image/photo

On Tuesday, 11 July 2017, at 1PM New York time, Microsoft, and various Linux distros and BSDs, released patches for Orpheus' Lyre.

We will be updating this blog post with more details as time passes. This vulnerability is quite serious, and we wish to give users a chance to apply patches before we discuss the full scope of the vulnerability. We urge users to apply and deploy patches forthwith and without delay.

In Greek mythology, Orpheus was a bard who put Cerberus to sleep with his music, and was then able to bypass Hades' guard. This vulnerability defeats Kerberos in a critical way permitting a bypass of mutual authentication. Thus we name it after Orpheus' Lyre much as Kerberos is named after Cerberus.


Its not actually a broken protocol, but it's all too easy to make subtle but disastrous implementation mistakes. Orpheus' Lyre is a serious vulnerability in some implementations of the Kerberos protocol.
MIT implemented it correctly, all others failed? Quite interesting. ;-)

#SSO
Klaus

LPIC-OT

 Fri, 07 Jul 2017 23:17:18 +0200 
There will be beta-exams for the new LPIC-OT at FrOSCon in August. Looking at the objectives for this new exam it contains a lot of what I have done recently.

#^DevOps Tools Engineer
DevOps is one of the most in-demand skills in open source today.  In order to meet this need with verified skills LPI, an established authority in Linux Administration, is developing the DevOps Tools Engineer certification.  These additional certified competencies strengthen the portfolio of today’s IT professionals.

As more and more companies introduce DevOps methodologies to their workflows; skills in using tools which support the collaboration model of DevOps become increasingly important. LPIC-OT DevOps Tools Engineers will be able to efficiently implement a workflow and to optimize their daily administration and development tasks.

This certification will be released in autumn 2017 and will test proficiency in the most relevant free and open source tools used to implement the DevOps collaboration model, like for example configuration automation or container virtualization.

The new certification is created according to LPI‘s community-based certification development process. This process relies heavily on involvement by the IT community.
Klaus

A Step-By-Step Guide on How to Be a Little Evil

 Fri, 07 Jul 2017 18:21:53 +0200 
Nice introduction video for every M$ Windows user! But don't tell your domain adminstrators. ;-)

#^From User to Domain Admin: A Step-By-Step Guide on How to Be a Little Evil
by BeyondTrust on Vimeo
Klaus

Let’s Encrypt limits

 Tue, 04 Jul 2017 14:37:53 +0200 
#^Keychest
Image/photo

Let's Encrypt is now the largest certificate provider for internet facing servers (combining a Frost&Sullivan report on SSL/TLS certificates from 2016 and actual data from Let's Encrypt, LE currently issues around 80% of all browser-trusted certificates). It does not issue the "most secure" certificates (i.e., EV, or extended validation certificates, which require manual validation of the address and legal status of the web service owner), but its certificates provide a very good level of security for most of us.

When we started using Let's Encrypt (LE), we slowly learnt about various limitations imposed on users. There is not any single place where you can find all important information in one place so here's the first attempt. We will amend it as we learn more directly, or from your feedback.
Klaus

Deep Dive into Capabilities

 Sun, 25 Jun 2017 22:57:10 +0200 
Secure Your Containers with this One Weird Trick
Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.