diff --git a/data/workshop/README.org b/data/workshop/README.org index 52e5d01..f74c54d 100644 --- a/data/workshop/README.org +++ b/data/workshop/README.org @@ -8,7 +8,7 @@ This document captures the steps required to set up an instance of the workshop. * Log in to cluster #+begin_src tmux -oc login --web https://api.cluster-pnccw.pnccw.sandbox225.opentlc.com:6443/ +oc login --web https://api.cluster-bcfz8.bcfz8.sandbox1805.opentlc.com:6443 #+end_src * Update cluster logo @@ -122,3 +122,49 @@ EOF oc adm policy add-scc-to-user privileged -z default -n prd-acme-payments #+end_src + +* Add spicy cluster users + +#+begin_src tmux +# Create the namespace for the exercise +oc new-project acme-prd-experimental + +# Retrive existing users htpasswd file +oc get secret htpasswd -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ${HOME}/Downloads/users.htpasswd + +# Add additional users +htpasswd -bB ${HOME}/Downloads/users.htpasswd specific-enhanced-ocelot admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd upset-benevolent-hacker admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd beaming-aggressive-squid admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd tame-threatening-otter admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd rebuked-placid-engineer admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd expert-invasive-meerkat admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd childish-shifty-caterpillar admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd silent-lively-heron admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd bountiful-soaked-crab admin +htpasswd -bB ${HOME}/Downloads/users.htpasswd alienated-proud-snail admin + +# Replace the secret +oc create secret generic htpasswd --from-file=htpasswd=${HOME}/Downloads/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace --filename - + +# Login as a specified user +oc login --username alienated-proud-snail --password admin +oc login --username bountiful-soaked-crab --password admin +oc login --username silent-lively-heron --password admin +oc login --username childish-shifty-caterpillar --password admin +oc login --username expert-invasive-meerkat --password admin +oc login --username rebuked-placid-engineer --password admin +oc login --username tame-threatening-otter --password admin +oc login --username beaming-aggressive-squid --password admin +oc login --username upset-benevolent-hacker --password admin +oc login --username specific-enhanced-ocelot --password admin + +# Log back in as admin +oc login --username admin + +# Grant user permission on project +oc adm policy add-role-to-user admin childish-shifty-caterpillar --namespace prd-acme-experimental + +# Delete the namespace as a particular user +oc delete project prd-acme-experimental --as childish-shifty-caterpillar +#+end_src diff --git a/data/workshop/exercise1.mdx b/data/workshop/exercise1.mdx index b178ee2..5ccb325 100644 --- a/data/workshop/exercise1.mdx +++ b/data/workshop/exercise1.mdx @@ -55,7 +55,7 @@ Register for an environment using `[team name]@redhat.com` and the password prov ## 1.4 - Confirm environment access -If your team have secured an environment and are ready to start the challenge please post a message in `#event-anz-ocp-security-hackathon` with the message: +If your team have secured an environment and are ready to start the challenge please post in `#event-anz-ocp-security-hackathon` with the message: > [team name] have logged into an environment and are starting the challenge! diff --git a/data/workshop/exercise2.mdx b/data/workshop/exercise2.mdx index 20ce4a9..d92d591 100644 --- a/data/workshop/exercise2.mdx +++ b/data/workshop/exercise2.mdx @@ -90,7 +90,7 @@ Documentation you may find helpful is: ## 2.5 - Check your work -If your pair session with Angie has finished and the hub cluster is secured please post a message in `#event-anz-ocp-security-hackathon` with the message: +If your pair session with Angie has finished and the hub cluster is secured please post in `#event-anz-ocp-security-hackathon` with the message: > Please review [team name] solution for exercise 2. diff --git a/data/workshop/exercise3.mdx b/data/workshop/exercise3.mdx index ec5f6c3..8305c53 100644 --- a/data/workshop/exercise3.mdx +++ b/data/workshop/exercise3.mdx @@ -59,7 +59,7 @@ oc --namespace openshift-ovn-kubernetes rsh ovnkube-node- ovn-nbctl --no- ## 3.3 - Check your work -If you've kept Brent happy by enabling encryption for internal cluster traffic please post a message in `#event-anz-ocp-security-hackathon` with the message: +If you've kept Brent happy by enabling encryption for internal cluster traffic please post in `#event-anz-ocp-security-hackathon` with the message: > Please review [team name] solution for exercise 3, our cluster internal traffic is now encrypted with cipher [cipher]. diff --git a/data/workshop/exercise4.mdx b/data/workshop/exercise4.mdx index 220f0b6..bba4b5c 100644 --- a/data/workshop/exercise4.mdx +++ b/data/workshop/exercise4.mdx @@ -43,7 +43,7 @@ Documentation you may find helpful is: ## 4.3 - Check your work -If you've successfully secured the banks vulnerable payments processor please post a message in `#event-anz-ocp-security-hackathon` with the message: +If you've successfully secured the banks vulnerable payments processor please post in `#event-anz-ocp-security-hackathon` with the message: > Please review [team name] solution for exercise 4, our payments processor application is now unhackable. diff --git a/data/workshop/exercise5.mdx b/data/workshop/exercise5.mdx index 2257e9b..70d59d1 100644 --- a/data/workshop/exercise5.mdx +++ b/data/workshop/exercise5.mdx @@ -60,7 +60,7 @@ Documentation you may find helpful is: ## 5.4 - Check your work -If you've successfully run the compliance scan and remediated the compliance issue to show Melissa how things work please post an issue in `#event-anz-ocp-security-hackathon` with the message: +If you've successfully run the compliance scan and remediated the compliance issue to show Melissa how things work please post in `#event-anz-ocp-security-hackathon` with the message: > Please review [team name] solution for exercise 5, our cluster is now [percentage] compliant against NIST 800-53 at a cluster level. diff --git a/data/workshop/exercise6.mdx b/data/workshop/exercise6.mdx new file mode 100644 index 0000000..bf9f6aa --- /dev/null +++ b/data/workshop/exercise6.mdx @@ -0,0 +1,59 @@ +--- +title: Inspecting audit logs +exercise: 6 +date: '2024-10-31' +tags: ['openshift','audit','logging'] +draft: false +authors: ['default'] +summary: "Ahh the classic who dunnit!?!??" +--- + + +You're about to finish up day three of the engagement at ACME and have the lid halfway closed on your ACME provided CrapPhablet7000™ laptop for the day when you hear it. An incoming Skype for Business call 😰 + +Here we go... + +Lifting the lid with a resigned sigh you answer. It's Angie. She's looking aggrieved and in a huff explains that someone has apparently deleted an important company project and she needs to figure out who. She's worried someone has permissions they shouldn't or there is an inside threat actor. + +Fear not you tell Angie, Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself. + +So we just need to inspect the audit logs and we should be able to find our culprit! + +![audit](/static/images/security/audit-logs.png) + + +## 6.1 - Needle in a haystack + +On the call Angie starts sharing her screen and logging into the ACME ElasticSearch instance to start querying the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator. + +Fear not however, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done. + +The namespace Angie needs to query is `prd-acme-experimental`, can you track down our threat actor?? + +Documentation you may find helpful is: + +- https://docs.openshift.com/container-platform/4.17/security/audit-log-view.html + + +## 6.2 - Removing the culprit + +With the culprit identified Angie is unsurprised. This particular user has been causing mayhem in every role they have worked and is on their last written warning so will probably now be let go. + +Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift. + +Documentation you may find helpful is: + +- https://access.redhat.com/solutions/4039941 + + +## 6.3 - Check your work + +If you've successfully identified the culprit and removed their platform access please post in `#event-anz-ocp-security-hackathon` with the message: + +> Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster. + +This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉 + + + + diff --git a/public/static/images/security/audit-logs.png b/public/static/images/security/audit-logs.png new file mode 100644 index 0000000..b74e046 Binary files /dev/null and b/public/static/images/security/audit-logs.png differ