From 3ddc51d967e2656e119c4b97eea66fa0942b9a62 Mon Sep 17 00:00:00 2001 From: mfoster_stackrox Date: Wed, 9 Oct 2024 23:08:42 -0400 Subject: [PATCH] updates --- content/modules/ROOT/nav.adoc | 6 +- .../modules/ROOT/pages/10-installation.adoc | 106 ++++++++++++++---- .../ROOT/pages/misc-hacking-linux.adoc | 6 + 3 files changed, 91 insertions(+), 27 deletions(-) diff --git a/content/modules/ROOT/nav.adoc b/content/modules/ROOT/nav.adoc index c710ad8..9827115 100644 --- a/content/modules/ROOT/nav.adoc +++ b/content/modules/ROOT/nav.adoc @@ -15,9 +15,9 @@ //Extra modules -* xref:misc-hacking-linux.adoc[Black Hat - CTF - hack a web application] -* xref:misc-log-4-shell-lab.adoc[Black Hat - log4shell example] -* xref:partner-paladin.adoc[Partner - Paladin Cloud & RHACS Integration] +* xref:misc-hacking-linux.adoc[CTF - hack a web application] +* xref:misc-log-4-shell-lab.adoc[log4shell example] +// * xref:partner-paladin.adoc[Partner - Paladin Cloud & RHACS Integration] diff --git a/content/modules/ROOT/pages/10-installation.adoc b/content/modules/ROOT/pages/10-installation.adoc index 72286df..538bd1a 100644 --- a/content/modules/ROOT/pages/10-installation.adoc +++ b/content/modules/ROOT/pages/10-installation.adoc @@ -2,46 +2,104 @@ == Module goals .Goals -* Review the Network Dashboard -* Create Network Policies that improve our CIS compliance. -== Accessing the EKS cluster +== Ensure the EKS cluster -I have checked the environment and it is has both eks and openshift cluster. Both are accessible using cli only need to change the context by using following command: +We are going to use Helm to install the ACS secured cluster services in Amazon's EKS. To do this we will need admin access to the cluster with Helm install. Verify that you have both before moving on. -````bash +==== +This command ensures you have access to the EKS Cluster +==== +[source,sh,subs="attributes",role=execute] +---- oc config get-contexts -oc config use-context admin oc config use-context eks-admin -```` -Let us know if we can help anywhere else. - -kubectl set resources deployment sensor -c=sensor --requests=cpu=100m,memory=256Mi --limits=cpu=2,memory=2Gi -n stackrox +---- +[.console-output] +[source,bash,subs="+macros,+attributes"] +---- +[lab-user@bastion ~]$ oc config get-contexts +oc config use-context eks-admin +CURRENT NAME CLUSTER AUTHINFO NAMESPACE + admin cluster-qkskx admin +* eks-admin arn:aws:eks:us-east-2:327895892313:cluster/qkskx-eks-cluster arn:aws:eks:us-east-2:327895892313:cluster/qkskx-eks-cluster + trusted-profile-analyzer/api-cluster-qkskx-qkskx-sandbox361-opentlc-com:6443/system:admin api-cluster-qkskx-qkskx-sandbox361-opentlc-com:6443 system:admin/api-cluster-qkskx-qkskx-sandbox361-opentlc-com:6443 trusted-profile-analyzer -Check that the pod is up and running: +*Switched to context "eks-admin".* +[lab-user@bastion ~]$ +---- -[.lines_space] -[.console-input] -[source,bash, subs="+macros,+attributes"] +==== +And This command ensures you Helm installed +==== +[source,sh,subs="attributes",role=execute] ---- -kubectl get pods +helm ---- [.console-output] [source,bash,subs="+macros,+attributes"] ---- -NAME READY STATUS RESTARTS AGE -{podname} 1/1 Running 0 5s +... + --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting + --registry-config string path to the registry config file (default "/home/lab-user/.config/helm/registry/config.json") + --repository-cache string path to the directory containing cached repository indexes (default "/home/lab-user/.cache/helm/repository") + --repository-config string path to the file containing repository names and URLs (default "/home/lab-user/.config/helm/repositories.yaml") + +Use "helm [command] --help" for more information about a command. ---- -Then let's go into the running pod to execute some commands: -[.console-input] -[source,bash, subs="+macros,+attributes"] ----- -kubectl exec -ti {podname} /bin/bash ----- +## Setting Up Red Hat Account and Creating Central Instance on ACS + +*Procedure* +. Head on over to https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes/cloud-service/trial +. Click on the Start Your Trial button. +. Sign up for a Red Hat account if you don't have one. +. Once you are in "Getting Started" tab select "Create Instance". + +NOTE: You will be redirected to the *ACS Instances* page where you can view all of the central services that have been deployed. + +[start=5] +. Select *Create ACS instance* +. Fill in your name, AWS account number, and select your cloud region (US East or Europe). +. Wait for the creation process to complete. Typically it is 7-10 minutes. + +IMPORTANT: You need ACS Central Services to be available to deploy ACS Secured Cluster Services into the EKS Cluster. + +## Checking and Accessing the Central Instance + +helm install stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services -n stackrox -f init-bundle.yml --set clusterName=eks-production-cluster --set centralEndpoint=acs-data-cs3a2gnasu0g1ivkgbhg.acs.rhcloud.com:443 --set imagePullSecrets.username=mfoster@redhat.com --set imagePullSecrets.password='rfm1kjm0qym6awq!BVN' --create-namespace + + +## Simplifying the Loom Transcript: Setting Up EKS Production Cluster + +1. **Accessing ACS Console** + + - Deploy and open the central instance. + - Click on "Open ACS Console" to access the setup page. + +2. **Creating an Init Bundle** + + - Click on "Create Init Bundle" and select EKS. + - Name the bundle (e.g., EKS production cluster) and download the init bundle YAML. + - Open the YAML file in the showroom instance. + +3. **Adding Certificate Information** + + - Copy the certificate information from the YAML file. + - Create a new file (e.g., init-bundle.yaml) in a text editor. + - Paste the certificate information, save the file. + +4. **Setting Up EKS Cluster** + + - Go to the getting started page and follow the EKS and Helm install instructions. + - Copy the Helm install command and run Helm repo add and Helm repo update commands. + - Run the Helm install command with the necessary parameters (e.g., unique ClusterName). -NOTE: Change the pod name with your pod name. +5. **Configuring Cluster Services** + - Find the API endpoint for the cluster in the ACS instance. + - Save the API endpoint and add your Red Hat username and password. + - Use a generic account if setting up in ArgoCD or similar tools. \ No newline at end of file diff --git a/content/modules/ROOT/pages/misc-hacking-linux.adoc b/content/modules/ROOT/pages/misc-hacking-linux.adoc index 6cf405b..cdf341a 100644 --- a/content/modules/ROOT/pages/misc-hacking-linux.adoc +++ b/content/modules/ROOT/pages/misc-hacking-linux.adoc @@ -5,6 +5,12 @@ * A CTF challenge: Web hacking a running container on OpenShift * There are three flags found during the journey. +== The CTF challenge + +This vulnerable web application is intentionally designed with minimal interaction but contains flaws that can be exploited through SQL injection and cross-site scripting (XSS) attacks. There are three hidden flags to discover. + +Have fun exploring! + == Getting access Start by networking the running container so that you can access it. the following commands deployes our vulnerable container to EKS and creates a LoadBalancer service to make it publically accessable.