Bonn, GermanyFri, 17 Apr 2020 01:11:05 +0200 
There was an interesting talk at Bonn Security Nights last evening.

It is not available (yet?) but the topics have been amongst others:
#^The Web Infrastructure Model (WIM) | Institute of Information Security  | University of Stuttgart
The most comprehensive, expressive and precise model of the web infrastructure to date.

#^New OAuth Security Recommendations - danielfett.de
The OAuth Security BCP contains a number of new and updated recommendations on the usage of OAuth 2.0. I recommend reading the whole document to understand the threats and attacks that lead to these guidelines. As a quick reference, the following table shows an overview of the most important new recommendations:
This list is based on version -12 of the draft and will be updated in the future.

Kubernetes Managed Container Plattform

 Mon, 06 Apr 2020 18:47:54 +0200 
Ziemlich interessantes Angebot. Leider nur B2B und nicht für mein privates Hosting-Dilemma.

#^Kubernetes - Managed Container Plattform | NETWAYS Web Services
Maßgeschneiderte Container Plattform basierend auf Kubernetes. Bei Bedarf administriert durch MyEngineer. Bezahlung nach Nutzung und in wenigen Minuten bereit.


msodbcsql17 Buster

 Fri, 21 Feb 2020 19:26:12 +0100 
After a recent php:7.3-apache Docker image rebuild we were not able to connect to the M$SQL server anymore from our PHP application inside the docker container. Seems to be related with the Debian 9 (Stretch) --> Debian 10 (Buster) update of the official PHP base image.

The error message with the new container was:
[Microsoft][ODBC Driver 17 for SQL Server]TCP Provider: Error code 0x2746
[Microsoft][ODBC Driver 17 for SQL Server]Client unable to establish connection

Too lazy to find a proper solution right now, but a quick fix is to add following code to our Dockerfile:
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Another lessons learned is to use the right base image tag e.g.: php:7.3-apache-stretch


 Fri, 31 Jan 2020 17:38:00 +0100 
Getting mail reliably and quickly in the inbox of recipients is hard. Lightmeter shows where the bottlenecks are so you don't waste time.

Funny project. If you look at the code #^https://gitlab.com/lightmeter it is just R ;-)


 Fri, 31 Jan 2020 17:16:34 +0100 
Recently saw in a certificate under Subject Alternative Name a spiffe:// URI. o_O

#^SPIFFE – Secure Production Identity Framework for Everyone

Secure Production Identity Framework for Everyone Inspired by the production infrastructure of Google and others, SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.

What is SPIFFE?
SPIFFE, the Secure Production Identity Framework For Everyone, provides a secure identity, in the form of a specially crafted X.509 certificate, to every workload in a modern production environment. SPIFFE removes the need for application-level authentication and complex network-level ACL configuration.


vintage computers

 Fri, 24 Jan 2020 18:47:31 +0100 
After spending a lot of time with talks and articles about cattle and throw away clusters this video is a pleasant counterpart. :-D

#^Here's What Happens When an 18 Year Old Buys a Mainframe
by SHARE Association on YouTube

GLPI Inventory Agent for Android

 Wed, 08 Jan 2020 17:44:11 +0100 

GLPI Android Inventory Agent allows your company to maintain control of all mobile devices, whilst providing comprehensive protection and enhanced security for sensitive corporate data, via a centralized management console.

Jenkinsfile in GitLab CI

 Tue, 07 Jan 2020 17:57:48 +0100 

#^Running Jenkins Files inside GitLab CI
Learn how to lift and shift your Jenkins jobs over to GitLab CI while you migrate.

First, I want to set some ground rules for this. For starters, this process is not meant for long term use. There are many downsides to this - Such as it only runs in one GitLab Stage and isn’t asyncronous. However this process can be used to run your Jenkins builds in GitLab CI, While you’re migrating your Jenkinsfile to GitLab CI Syntax. Make no mistake - This doesn’t solve your migration woes, But it does allow you to run your Jenkinsfile inside GitLab for the time being. It’s a stop-gap measure.

Log file Navigator

 Tue, 07 Jan 2020 17:53:06 +0100 

#^The Log File Navigator

Many logging tools, like Splunk, provide great features but are optimized for large-scale deployments.  They require installing and configuring servers before they can be effectively used.  There is still a need for a robust log file analyzer for the terminal.
Just point lnav to a directory and it will take care of the rest.  File formats are automatically detected and compressed files are unpacked on the fly.
Log files are a wealth of information, lnav can help highlight the parts that are important and filter out the noise.

DSGVO als Chance nutzen Monitoring Projekte zu pushen

 Thu, 12 Dec 2019 17:56:11 +0100 
Sehr inspirierender Vortrag von Hagen Bauer zum Thema #DSGVO und Monitoring bei der #OSMC.

#^OSMC 2019 | Die DSGVO als Chance nutzen – Monitoring der Informationssicherheit by Hagen Bauer
by NETWAYS on YouTube


Zero Trusted Networks

 Wed, 11 Dec 2019 18:29:03 +0100 
Interesting talk from #OSMC about micro-perimeter, least privileges, zero trust architectures, etc.

#^OSMC 2019 | Zero Trusted Networks – why Perimeter Security is dead by Jochen Kressin
by NETWAYS on YouTube

checks and metrics

 Tue, 26 Nov 2019 17:52:24 +0100 
Very interesting talk about Checks and Metrics by Michael Medin at #OSMC

#^OSMC 2019 | Buzzword Bingo with NSClient++ by Michael Medin
by NETWAYS on YouTube

Modern Lifecycle Policy?

 Mon, 25 Nov 2019 15:49:26 +0100 
As a modern online service, the Microsoft Teams client auto-updates every two weeks. Because Teams is governed by the Modern Lifecycle Policy, it is expected that users remain on the most up to date version of the desktop client. This ensures that users have the latest capabilities, performance enhancements, security, and service reliability.

Users on Teams desktop clients that are more than three months old will encounter a blocking page giving the options to update now, reach out to their IT admin, or continue to Teams on the web.


The behaviour how this software installs automatically on every computer with M$ Office365 feels a lot like malware. It installs the Micro$oft Teams desktop client on the regular office update. In addition it installs a program that will reinstall the Micro$oft Teams Desktop client on next reboot if just the client was uninstalled. :prisoner

Who will ever want to install the Micro$oft Teams client for Linux that will be released next month.

Handlungsempfehlungen zum Support-Ende von Windows Server 2008

 Sat, 16 Nov 2019 23:51:39 +0100 
#^Microsoft rät Kunden mit Windows Server 2008 zum schnellen Umstieg auf Azure-Cloud | News Center Microsoft
Support-Ende für Windows Server 2008 und Windows Server 2008 R2 am 14. Januar 2020: Ohne Migration riskieren Unternehmen Sicherheitsprobleme und Compliance-Verstöße
Am 14. Januar 2020 endet der erweiterte Support für Windows Server 2008 und Windows Server 2008 R2. Doch es gibt noch immer Unternehmen, die keine konkreten Pläne für die Migration auf ein neues Betriebssystem haben. Damit ab dem Stichtag keine Sicherheitslücken oder Verstöße gegen Compliance-Vorschriften zu riskieren sind, rät Microsoft zu einem Umzug der Server auf Azure. Die Migration in die Cloud gibt den Unternehmen mehr Zeit, um neue Lösungen für ihre Software-Anwendungen zu finden, die noch die Nutzung der alten Server erfordern.

in veralteten Server-Umgebungen die Einhaltung der EU-Datenschutzgrundverordnung (EU-DSGVO) nur schwer garantiert werden
Systeme vom Internet zu trennen ist keine Lösung

Microsoft empfiehlt Migration zu Azure

Icinga PowerShell Framework

 Tue, 05 Nov 2019 18:08:13 +0100 


Icinga Director v1.7.0

 Mon, 30 Sep 2019 11:01:42 +0200 
Finally \o/

#^Icinga Director v1.7.0 has been released
Over the last four years, the Icinga Director has grown from an optional configuration add-on to a mature Software product with lot‘s of features. Most Icinga installations are now driven by the Director, no matter whether they are small or huge, manually curated or fully automated.
But it will not stop here. Many cool ideas are eager to finally become reality. Director v1.7 is a huge step in that direction, as it lays the foundation for a completely new type of features. We are now able to delegate complex tasks to a dedicated background daemon that has been introduced with this version. New library modules have been published, allowing us to share cool bleeding edge funtionality among different modules in a more efficient way.

The first release that includes my property modifier from December last year. ;-)

Kata Containers

 Fri, 20 Sep 2019 12:43:57 +0200 
#^Kata Containers isolieren Workloads von Docker und Kubernetes - Aus Linux-Magazin 12/2018
Kata Containers versuchen die Leichtgewichtigkeit von Containern mit der strengen Isolation echter Server zu kombinieren. Dafür muss sich der Docker-User nicht einmal an neue Kommandos gewöhnen.
 Fri, 20 Sep 2019 10:53:35 +0200 
#^Icinga 2.11
Now we are here, after many months of development – we proudly release Icinga 2.11 available today.

Bleeding edge
It has been an emotional ride with many changes under the hood. The most obvious change is that Icinga’s distributed cluster operates more stable, the past quirks with hanging certificate signing requests or dead-locked TLS handshakes are now gone. This required us to go an unusual route: Evaluate new libraries and programming techniques in order to replace hand-written lower layered code, with later replacing the entire code base for the network stack operations in Icinga. This is a massive effort in quality and stability where users had called out for 3.0 already.

Zentrales Logging mit dem Elastic Stack

 Fri, 23 Aug 2019 17:25:13 +0200 last edited: Fri, 23 Aug 2019 18:16:09 +0200  

#^Zentrales Logging mit dem Elastic Stack
on media.ccc.de

Dezentrales Logging wird mit der steigenden Zahl von zu überwachenden Prozessen immer aufwändiger. Deshalb gibt es seit mehreren Jahren Tools welche das Zentrale Logging unterstützen. In diesem Vortrag soll der Elastic Stack als ein solches Tool vorgestellt werden.

In der Welt der Microservices ist die Anzahl der Logs-produzierenden Prozesse sehr groß und liegt durchaus im Bereich von 100-1000 Prozessen. Eine manuelle Log-Verarbeitung ist hier so gut wie undenkbar. Doch auch monolithische Services laufen oftmals dezentral und das Analysieren der Produktions-Logs ist dann häufig auch mit viel Aufwand verbunden. Mithilfe eines zentralen Loggins lässt sich eine viel bessere Übersicht über den Gesamtzustand eines Systems gewinnen, da nicht jedes Log einzeln untersucht werden muss, sondern die Logs aggregiert und somit auch leicht automatisiert ausgewertet werden können. Der Elastic-Stack bietet die Möglichkeit, große Mengen an Logs zu speichern und zu durchsuchen. Das Ökosystem um den ELK-Stack unterstützt Entwickler, DevOps usw. dabei, die Logs schnell und einfach aufzubereiten, damit diese gut analysierbar sind. In diesem Vortrag werden die Vor- und Nachteile des zentralen Loggins dargelegt und gezeigt, wie sich der Elastic Stack in Umgebungen einbinden lässt.

#ELK #FrOSCon14 #FrOSCon2019


 Fri, 05 Jul 2019 14:49:20 +0200 
To access a cheat sheet you can simply issue a plain HTTP or HTTPS request specifying the topic name in the query URL:
    curl cheat.sh/tar
    curl #^https://cheat.sh/tar