Configuring RBAC, TLS Node Bootstrapping On An Existing Kubernetes(1.11) Cluster. Below is a continuation to my previous post(S) part 1-6 on how to configure Kubernetes 3 Master Node cluster. In the post below I am going to show you. How to enable and configure RBAC on an your existing kubernetes cluster. how to automatically bootstrap […]
Tag: security
Configuring NAT Using PF Firewall in Solaris 11 / 12 Zones
Solaris 11/12 PF Firewall NAT Configuration Below is an update on how to configure NAT in Solaris 11/12, the original post used IPfilter(IPF). Since Solaris now officially switched to the BSD firewall(PF) I created the updated example below. Assumptions The network used in the kernel zones are 10.10.1.0/24 The network used on the global zone […]
Oracle ZFS Appliance(ZFSSA) LDAPS TLS / Diffie-Hellman(DH) SSL Rejected Due To Bit Length
Workaround for Oracle ZFS Appliance(ZFSSA) LDAPS / TLS Reject When Using OUD I recently patched/upgraded firmware on a Oracle ZFS Appliance. Once the upgraded was completed, the ZFS Appliance LDAPS connections stopped working, the error was due to the ZFS Appliance rejecting the Diffie-Hellman(DH) Cipher being used in the LDAPS connections. It turns out the […]
How to export a certificate and private key to pkcs12 (p12) format
1 2 3 |
openssl pkcs12 -export -out certificate.p12 -inkey certificate-key.pem -in certificate-cert.pem Enter Export Password: Verifying - Enter Export Password: |
Then use/provide the password at firefox import
Solaris kernel zones and IP NAT using ipfilter
Note: For an update on how to configure PF firewall – Please check Configuring NAT Using PF Firewall on Solaris 11/12 Assumptions The network used in the zones is 192.195.40.0 create an etherstub with one local interface used as the gateway ip address give each zone an ip address on a vnic on the same […]
How To Enable In Linux Specific User Logins (netgroup)
Modify /etc/security/access.conf
1 2 3 4 5 6 |
+ : ALL : LOCAL + : @groupA : ALL + : userA : ALL + : root : ALL + : userB : ALL -:ALL:ALL |
Configuring Solaris 11 user as Primary Administrator
Configuring a user as Primary Administrator in Solaris To configure a User in Solaris 11.2 as Primary Administrator follow the below steps Note: Primary Administrator was removed in Soalris 11.2 because its of a security concern.
1 2 |
/etc/user_attr sshsvc::::type=roles;lock_after_retries=no;defaultpriv=all;profiles=Primary Administrator,All |
/etc/security/prof_attr.d/core-os
1 |
Primary Administrator:::Can perform all administrative tasks:auths=solaris.*,solaris.grant;help=RtPriAdmin.html |
/etc/security/exec_attr.d/core-os
1 |
Primary Administrator:suser:cmd:::*:uid=0;gid=0 |
troubleshooting ipfilter
A very helpfull site https://blogs.oracle.com/SashaN/entry/packet_gets_blocked_eventhoug_it
Free Alternative to Splunk Using Fluentd and ElasticSearch
Splunk is a great tool for searching logs, but its high cost makes it prohibitive for many teams. In this article, we present a free and open source alternative to Splunk by combining three open source projects: ElasticSearch, Kibana, and Fluentd. http://docs.fluentd.org/articles/free-alternative-to-splunk-by-fluentd
Solaris IPFilter optimization
The default settings are quite conservative, and should be increased.
1 2 3 4 5 |
user@opensolaris:~# ipfstat | grep lost fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 798 lost 100 packet state(out): kept 612 lost 234 |
The default settings are quite conservative.
1 2 3 |
user@opensolaris:~# ipf -T list | grep fr_state fr_statemax min 0×1 max 0x7fffffff current 4096 fr_statesize min 0×1 max 0x7fffffff current 5002 |
You need to shutdown IPFilter and apply larger table size limits.
1 2 |
user@opensolaris:~# svcadm disable ipfilter user@opensolaris:~# /usr/sbin/ipf -T fr_statemax=18963,fr_statesize=27091 |
To make this persistent across reboots edit ipf.conf
1 2 |
user@opensolaris:~# vi /usr/kernel/drv/ipf.conf name=”ipf” parent=”pseudo” instance=0 fr_statemax=18963 fr_statesize=27091; |
Check again to see if the change took effect.