How do install security updates on an Amazon Linux AMI EC2 instance? - amazon-ec2

I see the following notices displayed on login:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
See /usr/share/doc/system-release/ for latest release notes.
There are 30 security update(s) out of 39 total update(s) available
How do I install these updates on my machine?

As outlined in section Security Updates within Amazon Linux AMI Basics, Amazon Linux AMIs are configured to download and install security updates at launch time, i.e. If you do not need to preserve data or customizations on your running Amazon Linux AMI instances, you can simply relaunch new instances with the latest updated Amazon Linux AMI (see section Product Life Cycle for details).
This currently includes only Critical or Important security updates though, see the AWS team's response to Best practices for Amazon Linux image security updates:
The default on Amazon Linux AMI is to install any Critical or
Important security updates on launch. This is a function of cloud-init
and be modified in cloud.cfg on the box or by passing in user-data.
This is why you see some security updates still available at launch.
Consequently, if you want to install all security updates or indeed need to preserve data or customizations on your running Amazon Linux AMI instances, you can maintain those instances through the Amazon Linux AMI yum repositories, i.e. you need to facilitate the regular Yum update mechanism as outlined for the yum-security plugin:
# yum update --security

Please note: This does not work if only security updates are selected, due to the fact that security updates are not properly flagged in centos and amazon linux. This may be a matter of Redhat making security a paid feature which, if I'm being frank, is bullshit.
For this to work you must update the yum-cron config file to install all updates. This makes security updates less likely to run reliably which makes everyone less secure.
update_cmd = default
Amazon Linux runs updates when the host boots for the first time.
If you plan to have hosts up long-term you may also want to enable automatic security updates. I recommend using yum-cron:
sudo yum install yum-cron
The config file is here: (you probably want to just run security updates)
/etc/yum/yum-cron.conf
You can then enable yum-cron like so:
sudo service yum-cron start
edit from a useful comment below:
"If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update -y" in user data."

The answer above is correct, here are the 4 commands you can copy and paste to run:
# Install the package yum-cron
sudo yum install yum-cron -y
# Change the config file /etc/yum/yum-cron.conf and modify the line apply_updates from no to yes
sudo sed -i "s/apply_updates = no/apply_updates = yes/" /etc/yum/yum-cron.conf
# Enable the yum-cron service to start automatically upon system boot
sudo systemctl enable yum-cron
# Start the yum-cron service now
sudo systemctl start yum-cron
These commands also work on Red Hat 7, CentOS 7
If you are running as the root user you can simply run the commands without sudo:
yum install yum-cron -y
sed -i "s/apply_updates = no/apply_updates = yes/" /etc/yum/yum-cron.conf
systemctl enable yum-cron
systemctl start yum-cron
For more information see https://linuxize.com/post/configure-automatic-updates-with-yum-cron-on-centos-7/
https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/

Related

How do I help mitigate log4j via haproxy on Enterprise Linux

Based on this post, haproxy has provided mitigation acls rules that can be used to help fight against log4j attack requests getting proxied to the affected log4j apps.
In reading some of the users comments, It came to my attention that many Enterprise Linux Haproxy system out there might be running an older haproxy version 1.5 which doesn't have the option http-buffer-request directive. This directive is critical to any CVE you are trying to mitigate, even more so if this is your only option until you can upgrade the affected applications.
what is the easiest way to upgrade and to what version?
Answering my own question...
Haproxy 1.6 is needed, however RH provides haproxy 1.8 from the RHSCL repo
Make sure these repos are active on the system and install haproxy1.8
subscription-manager repos --enable=rhel-7-server-optional-rpms --enable=rhel-7-server-rpms --enable=rhel-server-rhscl-7-rpms
yum install -y rh-haproxy18.x86_64
cat the current config into the 1.8 cfg file and run a quick test config
cat /etc/haproxy/haproxy.cfg > /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
/opt/rh/rh-haproxy18/root/usr/sbin/haproxy -c -V -f /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
^ correct any warns or alert errors, In my experience, its mainly directive order or check port strings on your backend services. this is relatively simple to search the net for and correct
nano /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
Add the ACLS Rules, use unique names if using more than one listener/frontend in the cfg so they don't overlap
systemctl disable --now haproxy && systemctl enable --now rh-haproxy18-haproxy
yum remove -y haproxy && yum install -y rh-haproxy18-haproxy-syspaths.x86_64
^ the rh-haproxy18-haproxy-syspaths.x86_64 package replaced the haproxy service name so you do not have to update the systemctl scripts or even keepalived if you are using it to monitor haproxy service
I use this within keepalived which works before and after
killall -0 haproxy
HAProxy have blogged about this topic.
December/2021 – CVE-2021-44228: Log4Shell Remote Code Execution Mitigation

Ansible : how to set recovery options in Windows services

I need to bring up the following service and configure recovery options as below using ansible,
rem Register windows services
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" "C:\myservice.exe"
rem Configure windows services recovery options
%SystemRoot%\System32\sc.exe failure myservice reset= 600 actions= restart/300000
%SystemRoot%\System32\sc.exe failureflag myservice 1
I can use win_service module to install service.
- name: Install Windows service
win_service:
name: myservice
path: 'C:\myservice.exe'
How do I set recovery options in ansible ? I don't see any free-form text in below given link,
https://docs.ansible.com/ansible/2.3/win_service_module.html
The link you have shared points out to the win_service module in ansible version 2.3 which is quite old.
Meanwhile, I just checked and there is nothing about recovery options either in the latest version of win_service (2.8 at time of writing)
However, there seems to be an ongoing pretty advanced PR that would introduce changes meeting your requirements. There are still some issues to fix and it missed 2.9 code freeze. But hopefully it could come out for the next version.
If you really can't wait you can try to install ansible from the above PR branch. But if you want to keep it safe, you will have to launch commands through the win_command module after installing the service until this PR is released.

How to spin up spinnaker locally for the first time

How to spin up a local version of Spinnaker? This has been answered and addressed in detail here.
https://github.com/spinnaker/spinnaker/issues/1729
Ok, so I got it to work, but not without you valuable help! #lwander
So I'll leave the steps here for posterity.
Each line is a separate command in the command line, I've installed this on a virtual machine with a freshly installed Ubuntu 14.04 copy with nothing else than SSH. Then SSH as root, You will need to configure sshd on your console to allow root access.
https://askubuntu.com/questions/469143/how-to-enable-ssh-root-access-on-ubuntu-14-04
> curl -O https://raw.githubusercontent.com/spinnaker/halyard/master/install/stable/InstallHalyard.sh
created a user account member of the adm and sudo groups (is this necessary???)
then Install Halyard:
bash InstallHalyard.sh
Verify that HAL is installed and validate its version.
hal -v
Tell Hal that the deployment type will be as a local instance (this will publish all services in localhost which will be tricky later in order to access them, but I have a turnaround so keep reading)
hal config deploy edit --type localdebian
Hal will complain that a version has not been selected, just tell HAL which version:
hal config version edit --version 1.0.0
The tell HAL which storage you are going to use, in my case and since it is local I want to use redis.
hal config storage edit --type redis
So now we need to add a cloud provider to HAL, we use AWS so we add it like this:
hal config provider aws edit --access-key-idXXXXXXXXXXXXXXXXXXXX--secret-access-key
I created a user on AWS and added access keys to the user inside IAM on the user security credentials tab. Obviously my access-key-idis not XXXXXXXXXXXXXXXXXXXX, I edited it. You do not need to enter the secret-access-key because the command will prompt for it.
Then you need to create a username relative or that will only concern you spinnaker installation however this will get related to you AWS Account-ID, so in MY spinnaker local installation I chose the username spinnakermaster you should choose yours!. And my AWS Account ID is not YYYYYYYYYYYY, I've edited too.
All the configurations and steps that you'll need to do inside AWS for this to work are really well documented here:
[https://www.spinnaker.io/setup/providers/aws/](https://www.spinnaker.io/setup/providers/aws/
)
And to tell HAL of of the above here's the command:
hal config provider aws account add spinnakermaster --account-id YYYYYYYYYYYY --assume-role role/spinnakerManaged
And after all that and if everything went according to plan we can ask HAL to deploy our brand new spinnaker installation.
hal deploy apply
It will begin a long installation downloading and configuring all the services.
Once it has finished you may do whatever you like but in my case I created a monitoring script like the one described here:
https://github.com/spinnaker/spinnaker/issues/854
Which can be launched on a recursive manner as this:
watch -n1 spinnaker-status.shor until toctrl+Cit!.
then to be able to access your local VM spinnaker copy you can either setup a reverse proxy with the proxy server of your choice to forward all the requests to localhost or you can simply ssh the SH** out of this redirecting the ports;
ssh root#ZZZ.ZZZ.ZZZ.ZZZ -L 9000:127.0.0.1:9000 -L 8084:127.0.0.1:8084 -L 8083:127.0.0.1:8083 -L 7002:127.0.0.1:7002 -L 8087:127.0.0.1:8087 -L 8080:127.0.0.1:8080 -L 8088:127.0.0.1:8088 -L 8089:127.0.0.1:8089
Where obviously theZZZ.ZZZ.ZZZ.ZZZ is not an actual IP Address.
And finally to begin having fun with this cutie you have to go to your browser of choice and type into the address bar:
http://127.0.0.0:9000
Hope this helps and saves some time to everybody!.
Cheers.
EN

ProFTPD can't connect after install

Installed Webmin successfully on a Debian system.
Created a virtual server, added some users and a domain.
Installed ProFTPD via Webmin's unused modules.
Added a new user with same named group via System -> Users and Groups.
Tried to connect via ftp using my server's external ip and my new user's credentials.
This should work according to most tutorials but it doesn't.
I'm suspecting some other service handles FTP requests before ProFTPD.
Is there a way to monitor protocol handlers? Could it be something else?
Thanks in advance.
because webmin try start it as deamon, but maybe (like me on archlinux) you need to start it as system service... on root:
systemctl start proftpd.service
If you want to look at the logs error (if there is errors, but if server is not start, it should ne have error...) then use:
journalctl -xe command (as root), or
systemctl --failed , or
systemctl status proftpd.service (all of these commands under root user or sudoers users).
So first of all, check that service is running:
systemctl status
then check the config file of webmin service for proftpd use the correct protocol for call service (systemd for example), and then use correct sentence code for start/stop it. Check also it goes to look at the correct config file of proftpd current install place (depend of your distribution or the way you install it).
proftpd is not installed by webmin, proftpd is installed, then from webmin, you install a module who has to communicate with allready installed application proftpd. If this module is well configured for point on actual proftpd installation and correct call of service, then all will have to works.
(please, if this answer help you, do up vote for my answer, without notation when i help, i can not help more because i'm locked by the system, hope you understand)
Have a look at the server's log, check le ProFTP daemon status, check the firewall

Configure TCP endpoint when vagrant up or reload

I'm using Vagrant to run an Ubuntu VM with Microsoft Azure provider, but I need to create an endpoint on this VM.
I've done it installing azure command-line tools with
npm install azure-cli -g
and after that
azure vm endpoint create {VM-Name} 80 8080
VM is running fine without problems. But I don't want to configure the endpoint manually anymore. I would like to create it when I run vagrant up. I don't want to use vagrant provision, because this shell instruction should not be executed in my VM, but in my physical machine.
There is no options such as verbose in vagrant, which would have permitted me to see what it really does with the Vagrantfile, and what I should do to implement a shell command like this one in it.
Ansver to initial question, do the following:
in vagrantfile add following string in azure provider section:
azure.tcp_endpoints = '80:8080'
hope this help.
answer to your question about verbose output:
you may run vagrant up --provider=azure --debug
for additional debug information.
if you need to run local scripts you may try to use vagrant-triggers plugin

Resources