FreeIPA is an open source identity management solution that integrates authentication, authorization, policies and other identity management features in a centralized manner. It aims to simplify identity management for Linux and Unix systems in a similar way that Active Directory does for Windows. FreeIPA also allows for integration with Active Directory domains through cross-realm Kerberos trusts, allowing single sign-on for users between Linux and Windows systems.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
An introduction to docker; the concepts; how to use it and why. The presentation is mainly based on the following presentation by docker, but with added info about Docker Compose and Docker Swarm.
https://www.slideshare.net/Docker/docker-101-nov-2016
#container #docker #Trifork #TriforkSelected #GotoConf
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
The AT&T team recently embarked on a journey with CloudStack and has since deployed a solution which encompasses multiple data-centers. This talk focuses on how they are using open source tools like CloudStack, FreeIPA, and Metal as a Service (MaaS) to support KVM-based VM provisioning at an enterprise scale within a GitOps model.
-----------------------------------------
The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.
Podman was created to be an alternative to Docker. It bears many similarities to the popular containerization tool, but it also differs in some important aspects.
Podman is daemonless, unlike Docker, which uses a client-server paradigm. While Docker needs a daemon process to maintain the connection between the client and the server, Podman is a single main process with containers as child processes.
Due to its architecture, Docker requires root privileges. Podman is rootless by design.
Docker is a monolithic platform that strives to be an all-in-one solution for container management. Podman, on the other side, focuses on running containers. It utilizes specialized tools for other functionalities - for example, it uses Buildah for building images, and skopeo for image management and distribution.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
An introduction to docker; the concepts; how to use it and why. The presentation is mainly based on the following presentation by docker, but with added info about Docker Compose and Docker Swarm.
https://www.slideshare.net/Docker/docker-101-nov-2016
#container #docker #Trifork #TriforkSelected #GotoConf
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
The AT&T team recently embarked on a journey with CloudStack and has since deployed a solution which encompasses multiple data-centers. This talk focuses on how they are using open source tools like CloudStack, FreeIPA, and Metal as a Service (MaaS) to support KVM-based VM provisioning at an enterprise scale within a GitOps model.
-----------------------------------------
The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.
Podman was created to be an alternative to Docker. It bears many similarities to the popular containerization tool, but it also differs in some important aspects.
Podman is daemonless, unlike Docker, which uses a client-server paradigm. While Docker needs a daemon process to maintain the connection between the client and the server, Podman is a single main process with containers as child processes.
Due to its architecture, Docker requires root privileges. Podman is rootless by design.
Docker is a monolithic platform that strives to be an all-in-one solution for container management. Podman, on the other side, focuses on running containers. It utilizes specialized tools for other functionalities - for example, it uses Buildah for building images, and skopeo for image management and distribution.
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
Applications need data. Containers remain ephemeral but we don't want our data to disappear. So how does it work with Kubernetes?
This session will examine the individual pieces required for creating persistent applications in Kubernetes. You will learn about in-tree and out-of-tree storage drivers, PersistentVolumes (PV), PersistentVolumeClaims (PVC), Dyanamic Provisioning, how to use all of these in your Deployments and StatefulSets, high availability, and what happens to the volumes when you delete objects. Get ramped up on everything you need to know about using persistent storage in Kubernetes
This presentation was delivered at Open Source Summit EU 2017
Infrastructure testing with Molecule and TestInfraTomislav Plavcic
Presentation defines what infrastructure as code is and what are some of the frameworks used for writing and testing it. More info is provided about Molecule framework which is used for testing Ansible roles and also TestInfra framework which can be used as a verifier with Molecule, but also as a standalone test framework.
We've added the presentation used by John Walter, Solution Architect for Red Hat's Training and Certification team, from our Accelerating with Ansible webinar. He discussed the emergence of radically simple Ansible automation and answered questions from attendees. Learn how Ansible automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs. Also learn how Ansible is designed for multi-tier deployments from day one and how Ansible models your IT infrastructure by describing how all your systems inter-relate, rather than just managing one system at a time.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
Get these visually appealing Kubernetes Concepts And Architecture PowerPoint Presentation Slides to discuss the process of operating containerized applications. You can display the need for containers by the company with the help of an open-source architecture PPT slideshow. The architecture of containers can be demonstrated with the help of a visually appealing PPT slideshow. The reasons for opting for Kubernetes by an organization can be explained to your teammates with the help of containers PowerPoint infographics. Highlight the roadmap for installing Kubernetes in the organization by using content-ready PPT slides. Take the assistance of visually appealing PPT templates to depict the major advantages of Kubernetes such as improving productivity, the stability of application run, and many more. After that, display 30 60 90 days plan to implement Kubernetes in the organization. Display the key components of Kubernetes with the help of a diagram using this professionally designed cluster architecture PPT layouts. Describe the functionality of each components of Kubernetes. Hence, download Kubernetes architecture PPT slides to easily and efficiently manage the clusters. https://bit.ly/34DWa7x
Since the release of 17.05, Docker has introduced Multi-Stage Build for Docker Images for anyone who has struggled to optimize Dockerfiles while keeping them easy to read and maintain. This builder pattern will help anyone who would just like to have the runtime, configuration & application and doesn’t want to have compilers, debuggers, code, build, test logs etc.
Starting with Docker 1.12, Docker has added features to the core Docker Engine to make multi-host and multi-container orchestration extremely simple to use and accessible to everyone. Docker 1.12 Networking plays a key role in enabling these orchestration features.
In this online meetup, we learned all the new and exciting networking features introduced in Docker 1.12:
Swarm-mode networking
Routing Mesh
Ingress and Internal Load-Balancing
Service Discovery
Encrypted Network Control-Plane and Data-Plane
Multi-host networking without external KV-Store
MACVLAN Driver
Domino Server Health - Monitoring and ManagingGabriella Davis
If you're a Domino administrator how do you decide what to monitor on your servers and how to manage them ? What are the key things to monitor? How do good practice management tools such as statistics reporting, DDM, cluster symmetry, database repair and policy settings make your work lighter and faster. Finally we’ll talk about some of the “must dos” in the day, week and month of a Domino admin.
Presented at Engage.ug in Brussels May 2019
Talk about a complete open source IAM solution that includes LDAP directory server, Access Management and especially the enterprise-scale Identity Management system. The presentation also includes motivation why LDAP server alone is not enough.
Thanks to Katka Valalikova for delivering a OpenLDAP + Evolveum midPoint demo during the talk.
LDAPcon 2015, Edinburgh.
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
Applications need data. Containers remain ephemeral but we don't want our data to disappear. So how does it work with Kubernetes?
This session will examine the individual pieces required for creating persistent applications in Kubernetes. You will learn about in-tree and out-of-tree storage drivers, PersistentVolumes (PV), PersistentVolumeClaims (PVC), Dyanamic Provisioning, how to use all of these in your Deployments and StatefulSets, high availability, and what happens to the volumes when you delete objects. Get ramped up on everything you need to know about using persistent storage in Kubernetes
This presentation was delivered at Open Source Summit EU 2017
Infrastructure testing with Molecule and TestInfraTomislav Plavcic
Presentation defines what infrastructure as code is and what are some of the frameworks used for writing and testing it. More info is provided about Molecule framework which is used for testing Ansible roles and also TestInfra framework which can be used as a verifier with Molecule, but also as a standalone test framework.
We've added the presentation used by John Walter, Solution Architect for Red Hat's Training and Certification team, from our Accelerating with Ansible webinar. He discussed the emergence of radically simple Ansible automation and answered questions from attendees. Learn how Ansible automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs. Also learn how Ansible is designed for multi-tier deployments from day one and how Ansible models your IT infrastructure by describing how all your systems inter-relate, rather than just managing one system at a time.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
Get these visually appealing Kubernetes Concepts And Architecture PowerPoint Presentation Slides to discuss the process of operating containerized applications. You can display the need for containers by the company with the help of an open-source architecture PPT slideshow. The architecture of containers can be demonstrated with the help of a visually appealing PPT slideshow. The reasons for opting for Kubernetes by an organization can be explained to your teammates with the help of containers PowerPoint infographics. Highlight the roadmap for installing Kubernetes in the organization by using content-ready PPT slides. Take the assistance of visually appealing PPT templates to depict the major advantages of Kubernetes such as improving productivity, the stability of application run, and many more. After that, display 30 60 90 days plan to implement Kubernetes in the organization. Display the key components of Kubernetes with the help of a diagram using this professionally designed cluster architecture PPT layouts. Describe the functionality of each components of Kubernetes. Hence, download Kubernetes architecture PPT slides to easily and efficiently manage the clusters. https://bit.ly/34DWa7x
Since the release of 17.05, Docker has introduced Multi-Stage Build for Docker Images for anyone who has struggled to optimize Dockerfiles while keeping them easy to read and maintain. This builder pattern will help anyone who would just like to have the runtime, configuration & application and doesn’t want to have compilers, debuggers, code, build, test logs etc.
Starting with Docker 1.12, Docker has added features to the core Docker Engine to make multi-host and multi-container orchestration extremely simple to use and accessible to everyone. Docker 1.12 Networking plays a key role in enabling these orchestration features.
In this online meetup, we learned all the new and exciting networking features introduced in Docker 1.12:
Swarm-mode networking
Routing Mesh
Ingress and Internal Load-Balancing
Service Discovery
Encrypted Network Control-Plane and Data-Plane
Multi-host networking without external KV-Store
MACVLAN Driver
Domino Server Health - Monitoring and ManagingGabriella Davis
If you're a Domino administrator how do you decide what to monitor on your servers and how to manage them ? What are the key things to monitor? How do good practice management tools such as statistics reporting, DDM, cluster symmetry, database repair and policy settings make your work lighter and faster. Finally we’ll talk about some of the “must dos” in the day, week and month of a Domino admin.
Presented at Engage.ug in Brussels May 2019
Talk about a complete open source IAM solution that includes LDAP directory server, Access Management and especially the enterprise-scale Identity Management system. The presentation also includes motivation why LDAP server alone is not enough.
Thanks to Katka Valalikova for delivering a OpenLDAP + Evolveum midPoint demo during the talk.
LDAPcon 2015, Edinburgh.
Apache Camel Introduction & What's in the boxClaus Ibsen
Slides from JavaBin talk in Grimstad Norway, presented by Claus Ibsen in February 2016.
This slide deck is full up to date with latest Apache Camel 2.16.2 release and includes additional slides to present many of the features that Apache Camel provides out of the box.
The mission of the Cloud Foundry Foundation (CFF), the global standard for open Platform-as-a-Service (PaaS), is to enable a broad, open ecosystem of developer frameworks and application services to make it faster and easier to continuously build, test, deploy, and scale cloud native applications.
In this webinar, Chip Childers, CTO of Cloud Foundry, and Michael Fraenkel, IBM Distinguished Engineer working on Cloud Foundry, provide a technical overview of Cloud Foundry. They discuss the technical benefits of the platform, highlight the technical direction of the project, explain focus areas for 2016, and share highlights from the Cloud Foundry Summit held May 23-25 in Santa Clara, CA.
Presented live June 16, 2016.
www.cloud-council.org
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...Mark West
A key advantage of the IoT is that it enables you to expand the potential of constrained devices by giving them access to the computational power of The Cloud.
In this session I’ll show you how I transformed a lowly Raspberry Pi Zero webcam into a smart security camera (with motion detection, threat detection and alert notifications) by combining open source software with cloud based image analysis.
Attendees can expect a short introduction on how to set up their own Raspberry Pi Zero webcam, a comparison of some of the image analysis API’s currently available, and finally a demonstration of how I used Node.js and a range of cloud based API’s (including Amazon's Rekognition, Lambda and Step Functions) to help my smart security camera distinguish between an unwanted guest and the neighbour’s cat.
Creating Real-Time Data Mashups with Node.JS and Adobe CQiCiDIGITAL
Adobe CQ is great at managing the authored content, but is less adept at handling the real-time data. The time it takes to ingest the data and replicate it is too long – the data will have already changed.
Node.JS has a broad and diverse developer community. If you want to build something with Node, chances are someone else has already done the same thing.
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...Martin Peřina
Prior to oVirt 3.5, authentication and authorization was implemented as monolithic module, logic and schema was hard-coded, Kerberos was used for authentication to LDAP server. It was very hard to support and it didn't contain requested features like SSO or proper multi-domain setup.
In this session we will take a look at new extension API introduced in oVirt 3.5.
This API is designed to be stable (easy to extend without breaking backward compatibility), simple (it's invoke based) and yet flexible (it allows extension to extension communication and allows to write extensions in other languages than Java like Javascript or JPython).
We will also take a look at the AAA (authentication, authorization, accounting) extensions which uses this API. Those extensions included in oVirt 3.5 allow to use generic LDAP or database for authentication and authorization or allow SSO for UI and API part of oVirt.
Historically, security hasn't been a high priority in regards to Hadoop (reflection of type of data and organizations using Hadoop), but now Hadoop is being used by more traditional firms with heightened security requirements. MapR's Senior Principal Technologist, Keys Botzum, gives a talk on how you can build a secure cluster.
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Level: 200 (Intermediate)
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Building Open Source Identity Management with FreeIPA
1. Building Open Source Identity
Management with FreeIPA
Martin Kosek
<mkosek@redhat.com>
Supervisor, Software Engineering, Red Hat, Inc.
2. Getting a Context
What is Identity Management?
– “Identity management (IdM) describes the management of
individual principals, their authentication, authorization, and
privileges within or across system and enterprise boundaries with
the goal of increasing security and productivity while decreasing
cost, downtime and repetitive tasks.”
Wikipedia
This is the theory, but what does it mean?
– Identities (principals): users, machines, services/applications
– Authentication: password, biometry, 2FA
– Authorization: Policies, ACLs, DAC, MAC
– Can be configured locally, but what about 1000+ machine
network ? Synchronization nightmare...
2
3. IdM Related Technologies
Active Directory
– Main identity management solution deployed in more than 90% of
the enterprises
LDAP
– Often used for custom IdM solution, different flavours
Kerberos
– Authentication solution
Samba, Samba 4 DC
NIS (NIS+)
– Obsoleted
4. Active Directory vs. Open Source
Why is Active Directory so popular?
– Integrated solution
– It is relatively easy to use
– Simple configuration for clients
– All the complexity is hidden from users and admins
– Has comprehensive interfaces
5. Active Directory vs. Open Source (2)
What about Open Source tools?
– Solve individual problems
• “do one thing and do it well”
– Bag of technologies lacking integration
– Hard to install and configure
• Have you ever tried manual LDAP+Kerberos configuration?
– Too many options exposed
• Which to choose? Prevent shooting myself in the leg
– Lack of good user interfaces
Is the situation really that bad?
6. Introducing FreeIPA
IPA stands for Identity, Policy, Audit
– So far we have focused on identities and related policies
Main problems FreeIPA solves:
– Central management of authentication and identities for Linux
clients better than stand-alone LDAP/Kerberos/NIS - based
solutions
– Hides complexity, presents easy to understand CLI/UI
• Install with one command, in several minutes
– Acts as a gateway between the Linux and AD infrastructure
making it more manageable and more cost effective
• This is a requirement. As we said earlier, Active Directory is often
the main Identity Management source
7. The Core
Directory Server
– Main data backend for all other services
– Custom plugins: authentication hooks, password policy,
compatibility tree (slapi-nis), validation, extended
operations...
Kerberos KDC
– Provides authentication for entire FreeIPA realm
PKI Server
– Certificates for services (web, LDAP, TLS)
HTTP Server
– Provides public interface (API)
9. Example - Using FreeIPA CLI
$ kinit admin
Password for admin@EXAMPLE.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM
Valid starting
Expires
Service principal
10/15/12 10:47:35 10/16/12 10:47:34 krbtgt/EXAMPLE.COM@...
10. Example - Using FreeIPA CLI (2)
$ ipa user-add --first=John --last=Doe jdoe --random
----------------Added user "jdoe"
----------------User login: jdoe
First name: John
Last name: Doe
Full name: John Doe
Display name: John Doe
Initials: JD
Home directory: /home/jdoe
GECOS field: John Doe
Login shell: /bin/sh
Kerberos principal: jdoe@EXAMPLE.COM
Email address: jdoe@example.com
Random password: xMc2XkI=ivVM
UID: 1998400002
GID: 1998400002
Password: True
Kerberos keys available: True
11. Features: Deployment
Hide complexity of LDAP+Kerberos+CA+... deployment
We have few requirements :
– Sane DNS environment (reverse records)
• DNS is crucial to identify machines
• Kerberos service principals, X509 Certificates use DNS names
– Static FQDN hostnames
Configuration with one command
– ipa-server-install, ipa-client-install
Supports replicas
– Essential for redundancy and fault protection
– ipa-replica-install
12. Features: Identity Management
Users, groups:
– Automatic and unique UIDs, across replicas
– Manage SSH public keys (not needed when authenticating with Kerberos)
– Role-based access control, self-service
Hosts, host groups, netgroups:
– Manage host life-cycle, enrollment
Services/applications
– Manage keytab, certificate
Automatic group membership based on rules
– Just add a user/host and all matching group/host group membership is
added
13. Features: DNS
Optional feature
DNS data stored in LDAP
Plugin for BIND9 name server (bind-dyndb-ldap)
– Bridge between LDAP and DNS worlds
Integration of DNS records with the rest of the framework
14. Features: Policy Management
HBAC
– Control who can do what and where
– Enforced by SSSD for authentication requests going through
PAM
– Useful when automember is in use
$ ipa hbacrule-show labmachines_login
Rule name: labmachines_login
Enabled: TRUE
User Groups: labusers, labadmins
Host Groups: labmachines
Services: sshd, login
15. Features: Policy Management (2)
SUDO: $ ipa sudorule-show test
Rule name: test
Enabled: TRUE
User Groups: labadmins
Host Groups: labmachines
Sudo Allow Commands: /usr/sbin/service
Automount:
$ ipa automountkey-find brno auto.direct
----------------------1 automount key matched
----------------------Key: /nfs/apps
Mount information: export.example.com:/apps
16. Features: Policy Management (3)
SELinux user roles
– Centrally assign SELinux user roles to users
– Useful for confined environments
– Avoid configuring roles per-server using “semanage user”
command
$ ipa selinuxusermap-show labguests
Rule name: labguests
SELinux User: guest_u:s0
Enabled: TRUE
User Groups: labusers
Host Groups: labmachines
17. Use case: Kerberize a Web Service
Provide centralized identity and authentication (SSO) for a web
application with few commands :
# ipa-client-install -p admin -w PAsSw0rd --unattended
Discovery was successful!
Hostname: web.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Enrolled in IPA realm EXAMPLE.COM
...
DNS server record set to: web.example.com -> 10.0.0.10
...
Client configuration complete.
18. Use case: Kerberize a web service (2)
# kinit admin
# ipa service-add HTTP/web.example.com
# ipa-getkeytab -p HTTP/web.example.com -s ipa.example.com
-k /etc/httpd/conf/httpd.keytab
# chown apache:apache /etc/httpd/conf/http.keytab
# chmod 0400 /etc/httpd/conf/http.keytab
19. Use case: Kerberize a web service (3)
# yum install mod_auth_kerb
# Kerberos auth for Apache
# cat /etc/httpd/conf.d/webapp.conf
<Location "/secure">
AuthType Kerberos
AuthName "Web app Kerberos authentization"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/http.keytab
KrbSaveCredentials off
Require valid-user
</Location>
# service httpd restart
20. Introducing SSSD
SSSD is a service/daemon used to retrieve information from a
central identity management system.
SSSD connects a Linux system to a central identity store like:
– Active Directory
– FreeIPA
– Any other directory server
Provides identity, authentication and access control
21. Introducing SSSD (2)
Multiple parallel sources of identity and authentication –
domains
All information is cached locally for offline use
– Remote data center use case
– Laptop or branch office system use case
Advanced features for
– FreeIPA integration
– AD integration - even without FreeIPA
22. FreeIPA and Active Directory
Active Directory is present in most of the businesses
IdM in Linux and Windows cannot be 2 separate isles
– Doubles the identity and policy management work
Need to address some form of cooperation
3rd party solutions for AD Integration
– Enables machine to join AD as Windows machines
– Linux machines are 2nd class citizens
– Increases costs for the solution + Windows CLA
– Does not offer centralization for Linux native services
• SELinux, Automount, ...
23. FreeIPA and Active Directory (2)
FreeIPA v2 - winsync+passsync
– User and password synchronization
– Easier management, but 2 separate identities
– One-way, name collisions, no SSO
FreeIPA v3+ - Cross-realm Kerberos trusts
– Users in AD domain can access resources in a FreeIPA domain
and vice versa
– One Identity, no name collisions (aduser@ad.domain), SSO with
AD credentials
24. Cross-Realm Kerberos Trust
FreeIPA deployment is a fully managed Kerberos realm
Can be integrated with Windows as RFC 4120 compliant
Kerberos realm
Traditional Kerberos trust management applies:
– Manual mapping of Identities in both Active Directory and Linux
(~/.k5login)
– Does not scale with thousands of users and computers
Better approach - native cross forest trusts
– AD DC thinks considers FreeIPA server as another AD DC
– MS-specific extensions to standard protocols need to be supported
25. FreeIPA as AD DC
FreeIPA Samba passdb backend
– Expansion of traditional Samba LDAP passdb backend
– New schema objects and attributes to support trusted domain
information
FreeIPA KDC backend:
– Verifies and signs MS-PAC coming from a trusted cross forest realm
– Accepts principals and tickets from a trusted realm
– Generates MS-PAC information out of LDAP
CLDAP plugin handling NetLogon requests
Additional API for handling new objects and attributes
26. Integration Plan
Step 1: allow AD users to connect to FreeIPA services. For
example:
– SSH from a Windows machine to FreeIPA-managed Linux
machine - with SSO!
– Mounting Kerberos-protected NFS share
Step 2: allow FreeIPA users to interactively log in into AD
machines
– Requires support for Global Catalog on FreeIPA server side
– Work in progress, planned for FreeIPA 3.4 (Q1/2014)
27. Is it enough? What is the catch?
We can manage Linux machines with FreeIPA
We can manage Windows machines with AD
We can establish a trust between them - good!
Works great for green field deployments
BUT!
– What about users already using Linux-AD integration?
• Identity Management for Unix AD LDAP extension
• Third party plugins
– What about users with legacy machines?
• Older Linuxes, UNIXes...
• They cannot use the modern SSSD with AD support
– Address before moving forward
28. Existing Linux-AD integration
Main problem is the UID/GID generation
– FreeIPA 3.0-3.2 generates them from SID
• Maps Windows style SID (e.g. S-1-5-21-16904141-1481897002149043814-1234) to UNIX-style UID/GID based on user ranges (e.g. UID
9870001234, GID 9870001234)
AD users may already contain defined UID/GID attributes
– Identity Management for Unix AD LDAP extension
– UID/GID are already used on Linux machines
– If changed, file ownership breaks
Allow reading these attributes!
– New setting for AD Trust
– SSSD reads the POSIX attributes from AD and uses them
29. Legacy clients using AD Trust
Administrator may want older systems to authenticate both AD and
Linux users
– SSSD with AD support may not available
– Using just nss_ldap is not enough, AD users are not in FreeIPA DS
Solved by compatibility LDAP tree in FreeIPA server
– Exposes a compatibility tree managed by slapi-nis DS plugin
– Provides both identity and authentication standard via LDAP operations
– Intercepts LDAP bind operations
• For FreeIPA user, it just does LDAP bind to FreeIPA LDAP tree
• For external user:
– Asks SSSD for user/group (getpwnam_/getgrnam_r), it asks AD
– Does PAM system-auth command, also via SSSD
30. Legacy clients using AD Trust (2)
FreeIPA server
FreeIPA
AD
KDC
LDAP KDC
3) Gets identity
with system calls
6) Authenticates
Member
5) Authenticates
via PAM
SSSD
Authentication
Identities
4) Reads identity
from AD
7) Identity +
authentication
via LDAP
AD Domain
Member
LDAP
Legacy client
1) Authenticate
nss_ldap
8) Success/Failure
Authentication
Identities
2) LDAP Bind
to compat tree