Error authorizing security group ingress rules: InvalidPermission.Duplicate: the specified rule peer

Error authorizing security group ingress rules: InvalidPermission.Duplicate: the specified rule peer sg-xxxxxxx

This lovely gem popped up out of no where while applying a terraform config. I mitigated it by changing the security group ID to the full ARN of the security group:

arn:aws:ec2:region:account-id:security-group/security-group-id




and then switching it back. I think there may have been a state mismatch due to someone manually editing the security group ingress rules.

AWS OpsWorks: "Update Custom Cookbooks" using aws cli

I was certain it would be a subcommand of update-stack, but it's actually under create-deployment.

aws opsworks create-deployment --region us-east-1 --stack-id ${STACKID}  --command '{"Name":"update_custom_cookbooks"}'

Howto: PCI-DSS Hardened Ubuntu 14.04LTS

This document serves as a record of the knowledge acquired while producing a PCI-DSS hardened Ubuntu Linux 14.04 LTS Server VMware template.

Installation

Grab ubuntu-14.04-server-amd64.iso or your iso of choice, and burn to optical media, or upload to your VMWare datastore.

Boot the machine.

Press F6 to select expert mode. Press escape and then press "Install Ubuntu Server"

Proceed through all the steps, answering the dialogues as you would normally. Often the default is acceptable, but careful thought should be put into each decision.

After you complete the "Load installer components from CD" step, the menu will expand to this:

 Continue answering the dialogues as you would normally. After you complete the step for "Configure the package manager" you should then SKIP ENTIRELY "Select and install software". Proceed to "Install the GRUB boot loader on a hard disk" and then finally "Finish the installation"

After the first boot of Ubuntu 14.04 Trusty Tahr, I had a package count of 214.

$ sudo dpkg -l | wc -l
214

The point of PCI-DSS hardening is to make the machine resilient to attacks from the network should an attacker have access to the network, and make the machine as difficult as possible for attackers to use should they acquire shell access to the system. With this in mind, you should only install the bare minimum of utilities required to administrate the system. These were my package choices:

$ aptitude install bash bash-completion bzip2 file grep gzip htop iotop iptables-persistent less lsof man-db manpages openssh-server sed sudo sysstat tmux unzip vim

Hardening

SCAP: Guide To The Secure Configuration of Red Hat Enterprise Linux 5

The SCAP RHEL5 guide serves as a good reference for where to start to harden your Ubuntu system. Things to keep in mind regarding the differences between Red Hat Enterprise Linux and Ubuntu Linux include:

• Ubuntu uses upstart, whereas RHEL uses SysV Init.
• Ubuntu uses apt, RHEL uses yum.

2.1.2.1 - RHN does not apply. The Ubuntu equivalent would be Landscape
2.1.2.2 - rhnsd does not exist in Ubuntu
2.3.1.1 - Root login is disabled altogether by default in Ubuntu
2.4.2 - SELinux is not installed by default in Ubuntu. My PCI auditor doesn't consider it a requirement of compliance, however your auditor may disagree.
2.5.5 - RHEL by default will save iptables rulesets on shutdown and reload them on system startup. To accomplish this under Ubuntu, the package iptables-persistent is required.
3.3.6 - kudzu does not exist in Ubuntu
3.14.2 - The fact that NIST recommends BIND is laughable. BIND has a horrible track record for security, as evidenced by the fact that the next recommendation is to place it in a chroot jail. If you need an authoritative nameserver or a recursive resolver on your network, use MaraDNS or PowerDNS instead. Distribute an /etc/hosts file with puppet or chef if you have to, but do not use BIND.

The rest of the recommendations in the document can be accomplished by researching which configuration file to modify. For now I have most of the tasks in a series of bash scripts, and the remaining tasks I handle manually. My ultimate goal is to codify all the PCI hardening in puppet so that a VM template is not required, and hosts can be created with vagrant or docker on something like cloudstack. See these related links:

http://www.slideshare.net/CloudPassage/automating-secure-server-baselines-with-puppet
http://www.slideshare.net/opscode/automating-secure-serverbaselinesandrewhay

I hope this helps you in your quest to use Ubuntu in your cardholder environment.

Get value from agent failed: ZBX_TCP_READ() failed: [4] Interrupted system call

Get value from agent failed: ZBX_TCP_READ() failed: [4] Interrupted system call

I got this error from a MongoDB VM I had just fired up. As I was investigating, I found that there was a hung connection to the primary resolver listed in /etc/resolv.conf. Turns out that network segment didn't have a firewall exclusion for the new caching name server I had installed not too long ago. I  added a firewall exclusion and a minute or so later the node was reporting data in my Zabbix web console. UPDATE: I've also experienced the same issue where the node had no issue contacting the resolver listed in /etc/resolv.conf. The fix was to add an entry in /etc/hosts for the Zabbix server. It's odd that it only affected one RHEL node.

TLDR: This error message is related to some type of failure of the DNS subsystem on the target node.

MariaDB: dead simple

In light of: this article I decided to give MariaDB a shot. It's dead simple.

Add the official repository, setup multimaster replication as usual. Done