Adding study group notes for Perm101

Author: Ell Marquez

permissions101/perm101.md

@@ -0,0 +1,82 @@
+# Perms 101
+  
+  Please remember this outline was created to assist you in taking notes during our study group. 
+
+## FS Permission Basics
+    
+`drwxrwxrwx.` 
+
+* `d` rwxrwxrwx. 
+* d`rwx`rwxrwx.
+* drwx`rwx`rwx.
+* drwxrwx`rwx`.
+* drwxrwxrwx`.`
+
+## Using chmod, chown
+
+`chown root:root file`
+
+`chown root: file`
+
+`chown root file`
+
+`chown :root file`
+
+### chmod
+The chmod command changes the mode or the permission set of a file.
+
+Mode can be represented in symbolic or octal notations
+Symbolic	rwx, rw, r-x
+Octal	755, 644
+chmod - Examples
+
+* The following are some examples of how we can use chmod
+
+        chmod 755 file
+        chmod u+rwx
+        chmod g-rwx
+        chmod o=rw
+
+
+* The following are some examples of how we can use chmod
+
+        chmod 755 file # Change the permissions to 755
+        chmod u+rwx
+        chmod g-rwx
+        chmod o=rw
+
+* The set uid and set gid bits configure a command so that it is executed as said owner or group
+
+* The sticky bit designates that only the owner can delete the file
+
+* These permissions are set with the chmod command.
+
+* Using chmod with a capital -X denotes to only set the execute bit if the execute bit is already set elsewhere in the permissions
+
+
+## umask & /etc/skel
+
+The umask is what determines what permissions is a new file created with. They are specifying which bits are turned off by default.
+
+    umask
+    umask -S
+    umask -p
+
+* The umask is set in /etc/profile but can also be set per user or in /etc/skel
+
+## FACLs Introduction
+
+* Defaults are set on a directory and they will carry through to each file under the directory.
+
+* Defaults are set by adding the -d, --default flag indicating the operations are for the default
+
+`setfacl -d -m u:rack:rwx ./testdir/`
+
+### C.R.U.D on FACLs
+
+* Create	setfacl -m u:rack:rwx file
+* Read	getfacl file
+* Update	setfacl -x u:rack / setfacl -m u:rack:rw
+* Delete	setfacl -x -k -b file
+
+## Review and Expand

security/K8sStudy.md

@@ -0,0 +1,104 @@
+# Don't be Famous Study Group
+
+## Part 1: Introduction:
+Famous breaches 
+Tesla Cloud Resources Are Hacked To Run Cryptocurrency Mining Malware    
+https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
+Shopify     
+https://www.eweek.com/security/how-shopify-avoided-a-data-breach-thanks-to-a-bug-bounty
+Legacy Security         
+Physical Access    
+Network Perimeter
+Updated Machines         
+Workload Isolation             
+Could be Dev,     Staging and production. Could also be separating production environments.
+         
+## Part 2: Security through Architecture
+https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#1-tls-everything
+Everywhere that can be TLS should be TLS inside the cluster.         
+Worker nodes should never have access to etcd for any reason.             
+Even Better, Etcd should be completely separate from the controls and         firewall-ed.         
+Upgrades
+Upgrade in place    
+Lower     infrastructure cost            
+More “dangerous”                         
+Configuration     Drift    
+External Access is Easier
+Stand up a new cluster
+Higher     infrastructure cost                 
+Less     “dangerous”                 
+Immutable Clusters
+External Access is harder.             
+Command to know:
+https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/
+kubectl cordon        
+kubectl drain         
+     
+Projects to know:
+Velero (arc) –     backups and restores for k8s objects     
+
+## Part 3: RBAC
+RBAC relies on a series of well defined and standard concepts that are commonly     found in all implementations.
+     
+Subjects – A     person, agent or group
+Roles- A role     is made of a set of permissions (an approval of a mode of access to a resource)         
+Assignments – Role assignment grants a subject right to execute a transaction by         assigning to the subject an active role    
+Kubernetes has Role and Cluster Roles
+Using RBAC Authorizaiton 
+https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+Authorization Overview 
+https://kubernetes.io/docs/reference/access-authn-authz/authorization/
+Roles are defined at the Kubernetes namespace level.         
+Batteries Included        
+Cluster-Admin             
+Admin             
+Edit                          
+View                      
+Role Sprawl Insanity         
+Use groups                     
+Tools that help :                     
+Dex    
+https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
+https://github.com/dexidp/dex        
+Gangway 
+https://github.com/heptiolabs/gangway
+
+## Part 4: “Policies”
+Network Policy     
+Default is ALLOW ALL ANYWHERE        
+Remember network plugins             
+http://github.com/ahmetb/kubernetes-network-policy-recipes     
+Pod Security Policy     
+Runs on the cluster as an admission controller.                 
+Linked to RBAC roles
+RBAC defines     what policies users have access to.    
+Permissive vs     Restricted    
+Default        
+Kube-System     
+Networking
+     
+
+## Part 5: Audit Everything
+https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
+API Server will log ALL REQUEST for auditing purpose
+Audit logs can be VERY NOISY, so you only log what you need.     
+Stages of a Request to the API server     
+RequestReceived
+ResponseStated    
+ResponseComplete
+Panic         
+Audit log levels
+None    
+Metadata    
+Requests
+RequestResponse         
+
+
+## Closing:
+Previous Study groups     
+[History of Linux](https://youtu.be/qJ1CrzLS7Ak)    
+[Ansible](https://youtu.be/0WfYpWl01VQ)
+[Command Line Threat Hunting](https://youtu.be/jy9SAUHEWdU)         
+[Feedback form](https://forms.gle/oXAa1VYjsJJBsZD78)    
+[Free k8s courses](https://linuxacademy.com/blog/linux-academy/freemay2019/)    
+[Hearts twitter](@hhover)