DEV Community: Piyapol

How to perform a CIS Benchmark scan on Ubuntu 22.04

Piyapol — Thu, 03 Aug 2023 03:04:27 +0000

In this blog, we will focus on the process of performing a security scan on Ubuntu 22.04 following the CIS Benchmark for Ubuntu 22.04 (version 1.0.0).

First, install OpenSCAP.

apt install libopenscap8

Next, download OpenSCAP's content.

wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.67/scap-security-guide-0.1.67.zip

unzip scap-security-guide-0.1.67.zip

After that, perform the scanning process.

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --report report.html scap-security-guide-0.1.67/ssg-ubuntu2204-ds.xml

Finally, evaluate the results.

open report.html

That's all. Thank you for reading. Having a nice day.

Enforcing password policies on Ubuntu

Piyapol — Tue, 01 Aug 2023 05:30:34 +0000

Hi, in this blog, we are going to set up password policy enforcement to enhance overall security on Ubuntu.

Let's start with configure password complexity. First, install the libpam-pwquality.

sudo apt install libpam-pwquality

Then, edit /etc/security/pwquality.conf with following configuration.

minlen = 14  # password must be at least 14 characters
minclass = 4 # minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)

After that, edit /etc/login.defs with following configuration

PASS_MAX_DAYS 90 # password expiration days
PASS_MIN_DAYS 1  # days between password changes 
PASS_WARN_AGE 7  # warnings before expiration

That's all. Now we have a more robust Ubuntu system.
Thank you for reading and have a nice day.

How to setup MSSQL exporter

Piyapol — Fri, 28 Jul 2023 12:43:28 +0000

A short note for setting up MSSQL monitoring using Prometheus and Prometheus MSSQL Exporter.

First, create a new database user.

CREATE LOGIN MSSQLExporter WITH PASSWORD = ‘<PASSWORD>’;
CREATE USER MSSQLExporter FOR LOGIN MSSQLExporter;
GRANT VIEW ANY DEFINITION TO MSSQLExporter;
GRANT VIEW SERVER STATE TO MSSQLExporter;

Then, create a deployment manifest.

# mssql-exporter.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mssql-exporter
  labels:
    app.kubernetes.io/name: mssql-exporter
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: mssql-exporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: mssql-exporter
    spec:
      containers:
        - name: mssql-exporter
          image: awaragi/prometheus-mssql-exporter:v1.3.0
          ports:
            - containerPort: 4000
          env:
            - name: USERNAME
              value: "MSSQLExporter"
            - name: PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mssql-exporter
                  key: MSSQL_EXPORTER_PASSWORD
            - name: SERVER
              value: mssql.example.local
            - name: PORT
              value: "1433"
---
apiVersion: v1
kind: Service
metadata:
  name: mssql-exporter
  labels:
    app.kubernetes.io/name: mssql-exporter
spec:
  type: ClusterIP
  ports:
    - port: 4000
      targetPort: 4000
      protocol: TCP
  selector:
    app.kubernetes.io/name: mssql-exporter
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: mssql-exporter
  labels:
    app.kubernetes.io/name: mssql-exporter
spec:
  endpoints:
    - targetPort: 4000
  namespaceSelector:
    matchNames:
      - mssql
  selector:
    matchLabels:
      app.kubernetes.io/name: mssql-exporter

Finally, apply.

kubectl apply -f mssql-exporter.yaml