ordoid cgroub pids

title: “ordoid cgroub pids”
date: 2021-01-04T20:58:00
slug: ordoid-cgroub-pids

This guide is only for the NATIVE BUILD. Run it on the board.

Installing building tools

You may need to install the building tools.

$ sudo apt-get install git gcc g++ build-essential libssl-dev bc flex bison

Download and build the kernel source

Updating Kernel and DTB (Device Tree Blob)

Please note that native kernel compile on ODROID-XU4 will take about 25 minutes.

$ git clone --depth 1 https://github.com/hardkernel/linux -b odroidxu4-4.14.y
$ cd linux
$ make odroidxu4\_defconfig
!! changed the .config and enabled CGROUP\_PIDS by adding CONFIG\_CGROUP\_PIDS=y
$ make -j8
$ sudo make modules\_install
$ sudo cp -f arch/arm/boot/zImage /media/boot
$ sudo cp -f arch/arm/boot/dts/exynos5422-odroid\*dtb /media/boot
$ sync

Updating root ramdisk (Optional)

$ sudo cp .config /boot/config-`make kernelrelease`
$ sudo update-initramfs -c -k `make kernelrelease`
$ sudo mkimage -A arm -O linux -T ramdisk -C none -a 0 -e 0 -n uInitrd -d /boot/initrd.img-`make kernelrelease` /boot/uInitrd-`make kernelrelease`
$ sudo cp /boot/uInitrd-`make kernelrelease` /media/boot/uInitrd
$ sync

Before you start with new Linux kernel v4.14

You would check all necessary files are in place as below before reboot. The file size would differ.

$ ls -l /media/boot/
total 14756
-rwxr-xr-x 1 root root 9536 Oct 25 23:29 boot.ini
-rwxr-xr-x 1 root root 753 Aug 20 22:38 boot.ini.default
-rwxr-xr-x 1 root root 62565 Nov 2 01:24 exynos5422-odroidxu3.dtb
-rwxr-xr-x 1 root root 61814 Nov 2 01:24 exynos5422-odroidxu3-lite.dtb
-rwxr-xr-x 1 root root 62225 Nov 2 01:24 exynos5422-odroidxu4.dtb
-rwxr-xr-x 1 root root 61714 Oct 25 23:30 exynos5422-odroidxu4-kvm.dtb
-rwxr-xr-x 1 root root 9996513 Nov 2 01:27 uInitrd
-rwxr-xr-x 1 root root 4844744 Nov 2 01:24 zImage

$ sudo sync
$ sudo reboot

c compilieren

title: “c compilieren”
date: 2021-01-02T22:41:17
slug: c-compilieren

depbase=`echo dvbv5-scan.o | sed 's|[^/]\*$|.deps/&|;s|\.o$||'`; gcc -DHAVE\_CONFIG\_H -I. -I/v4l-utils/ -I/v4l-utils/lib/include -Wall -Wpointer-arith -D\_GNU\_SOURCE -I/v4l-utils/include -g -O2 -MT dvbv5-scan.o -MD -MP -MF $depbase.Tpo -c -o dvbv5-scan.o dvbv5-scan.c && mv -f $depbase.Tpo $depbase.Po
/bin/bash /v4l-utils/libtool --silent --tag=CC --mode=link gcc -pthread -g -O2 -lm -o dvbv5-scan dvbv5-scan.o /v4l-utils/lib/libdvbv5/libdvbv5.la -ludev

compile wscan with mysql

title: “compile wscan with mysql”
date: 2021-01-01T17:43:09
slug: compile-wscan-with-mysql

export LIBS="-I/usr/include/mysql -L/usr/lib/arm-linux-gnueabihf -lmysqlclient -lpthread -lz -lm -lrt -latomic -lssl -lcrypto -ldl -lrt"

Create a Readonly RootFS Pod with writeable /tmp

title: “Create a Readonly RootFS Pod with writeable /tmp”
date: 2020-12-30T15:54:33
slug: create-a-readonly-rootfs-pod-with-writeable-tmp

apiVersion: apps/v1
kind: Deployment
metadata:
 namespace: team-purple
 name: immutable-deployment
 labels:
 app: immutable-deployment
spec:
 replicas: 1
 selector:
 matchLabels:
 app: immutable-deployment
 template:
 metadata:
 labels:
 app: immutable-deployment
 spec:
 containers:
 - image: busybox:1.32.0
 command: ['sh', '-c', 'tail -f /dev/null']
 imagePullPolicy: IfNotPresent
 name: busybox
 securityContext:
 readOnlyRootFilesystem: true
 volumeMounts:
 - mountPath: /tmp
 name: tmp
 volumes:
 - name: tmp
 emptyDir: {}
 restartPolicy: Always

Find User Action in AuditLog (get secret)

title: “Find User Action in AuditLog (get secret)”
date: 2020-12-30T15:43:21
slug: find-user-action-in-auditlog-get-secret

cat audit.log | grep "p.auster" | grep Secret | grep list | vim -

AND

cat audit.log | grep "p.auster" | grep Secret | grep get | vim -

Under “objectRef” and “name” you find the listed passwords

List Syscalls gerneated by Pods

title: “List Syscalls gerneated by Pods”
date: 2020-12-30T14:39:56
slug: list-syscalls-gerneated-by-pods

List Pods and their Nodes:

k get pod -owide
collector1-59ddbd6c7f-ffjjv ... cluster1-worker1

SSH to the Node and check which process is running inside the container:

docker ps | grep collector1
3e07aee08a48 registry.killer.sh:5000/collector1 "./collector1-process" .........

The Process is “collector1-process”, check for the PID (can be mor PIDS if there running more containers):

ps aux | grep collector1-process
root 10991 0.0 0.0 2412 760 ? Ssl 22:41 0:00 ./collector1-process
root 11150 0.0 0.0 2412 756 ? Ssl 22:41 0:00 ./collector1-process

Strace the PID:

strace -p 10991

List secrets with api curl from inside a Pod

title: “List secrets with api curl from inside a Pod”
date: 2020-12-30T14:04:51
slug: list-secrets-with-api-curl-from-inside-a-pod

curl -vvvk --header "Authorization: Bearer $TOKEN" https://$APISERVER:443/api/v1/namespaces/restricted/secrets

curl -vvvk --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://$KUBERNETES\_PORT\_443\_TCP\_ADDR:443
/api/v1/namespaces/squad-rtlplus-music/pods

System Hardening – Reduce Attack Surface

title: “System Hardening – Reduce Attack Surface”
date: 2020-12-16T14:25:03
slug: system-hardening-reduce-attack-surface

systemctl stop snapd
systemctl disable snapd

List Process running on Port 21

lsof -i :21

System Hardening – Kernel Hardening Tools

title: “System Hardening – Kernel Hardening Tools”
date: 2020-12-16T13:56:46
slug: system-hardening-kernel-hardening-tools

Apparmor for Containers

apt-get install apparmor
apt-get install apparmor-utils

aa-status
aa-genprof curl

curl https://google.de
aa-logprof

Install a Profile with:

apparmor\_parser -q profile
apparmor\_status (check if its loaded)

Seccomp
Put the seccomp json file into “/var/lib/kubelet/seccomp/default.json”
(Can be downloaded from here: https://kubernetes.io/docs/tutorials/clusters/seccomp/)
Apply it with:

apiVersion: v1
kind: Pod
metadata:
 creationTimestamp: null
 labels:
 run: secure
 name: secure
spec:
 securityContext:
 seccompProfile:
 type: Localhost
 localhostProfile: default.json

Runtime Security – Auditing

title: “Runtime Security – Auditing”
date: 2020-12-16T08:15:32
slug: runtime-security-auditing

Enable / Configure Auditing

This Audit Rule Logs all Metadata

vi /etc/kubernetes/audit/policy.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Enable an Configure Auditing in kupe-api manifest:

vi /etc/kubernetes/manifests/kube-apiserver.yaml

 - --audit-policy-file=/etc/kubernetes/audit/policy.yaml # add
 - --audit-log-path=/var/log/kubernetes/audit.log # add
 - --audit-log-maxsize=500 # add
 - --audit-log-maxbackup=5 # add

 - mountPath: /etc/kubernetes/audit # add
 name: audit # add

 volumes:
 - hostPath: # add
 path: /var/log/kubernetes/audit.log # add
 type: DirectoryOrCreate # add
 name: audit # add

Some Policy Examples:
Dont log Anything from Stage RequestReceived (omitStages)

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
 - "RequestReceived"