Enable JIT Access on Azure VMs
In this post we’ll take a look at a feature of Azure Security Center called Just-In-Time VM access. This feature will allow you to timebox when and who has access to your Azure VMs. Black Hats will invariably look for open management ports on your VMs. RDP and SSH are often used by hackers as a possible entry point for access to your environment. Using JIT Access you can block access to these ports and require users to submit a request in order to gain access during a specific timeframe.
Purge Azure AD Deleted Objects
Ever get the dreaded message: “The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.” But when you go and look you only have a handfull of objects listed… certainly nowhere near the 250 allowed. In this post we’ll see one potential way to alleviate this issue. We’ll discover that what appears to be the case on the surface is not really the case with Azure AD. Azure AD actually doesn’t delete objects right away it marks them as “Deleted”. So if you really want to remove objects from Azure AD read on…
Authenticate GO CLI with Azure AD
Ever wonder how to integrate a command line application with Azure Active Directory? I happened to be working with a client recently who wanted to do just that and I took the opportunity to dive in a figure it out and in the process write it up for the website. In this post we’ll look at the Azure Golang SDK and how to use it for Azure AD authentication and we’ll also create an application registration in AAD and assign permissions to our CLI.
Whitelist Ingress Access into AKS Clusters
If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.
Automate DNS and SSL Certificates on AKS
In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.
Creating Jekyll Category Pages on GitHub
In this Post we’ll look at how to create some simple Category pages using Jekyll on GitHub Pages with GitHub’s default set of plugins. GitHub Pages supports a limited subset of Jekyll plugins and unfortunately this list doesn’t contain plugins like jekyll-category-pages or jekyll-archives which would make building category pages easier. We can, however, get category pages on GitHub with just a little added effort so keep reading.
Adding Auditd Logs to Azure Log Analytics
In my last post entitled Forwarding Syslog to Azure Log Analytics we setup our Linux VMs to send Syslog data for centralized collection to Azure Log Analytics. This allowed us to capture all our Syslog data as well as setup alerts for anomalous behavior in our logs. In this post we want to take it a step further and add auditd to our Linux VMs and setup some very specific auditing rules around file access and modifications and send those to Log Analytics as well.