Add user to sudoers (RHEL)
$ sudo su
# adduser iwadmin
# passwd <password>
# usermod -aG wheel iwadmin
# vi /etc/sudoers
[...add this line after root line:...]
iwadmin ALL=(ALL) ALL
Reboot an AWS EC2 Instance (Python)
from __future__ import print_function
import sys
import boto3
from botocore.exceptions import ClientError
boto3.setup_default_session(profile_name='default')
instance_id = 'i-094cf9bbbea2bdfbd' #sys.argv[2]
#action = sys.argv[1].upper()
ec2 = boto3.client('ec2')
# Do a dryrun first to verify permissions
try:
ec2.start_instances(InstanceIds=[instance_id], DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
raise
# Dry run succeeded, run start_instances without dryrun
try:
response = ec2.start_instances(InstanceIds=[instance_id], DryRun=False)
print(response)
except ClientError as e:
print(e)
Chef Cheatsheet
Download all cookbooks
$ cd ~/chef-repo
$ knife download cookbooks
Download all roles
$ cd ~/chef-repo
$ knife download roles
Download Specific Cookbook
$ knife download cookbooks/cert-QValent\* --cookbook-version 0.1.0
Creating cookbook
$ cd ~/chef-repo
$ knife cookbook create newrelic-config /OR/ cd cookbooks; chef generate cookbook newrelic-config
$ cd cookbooks/newrelic-config/recipes
$ touch update_config.rb
$notepad update_config.rb
[...Author Recipe.....]
Upload cookbook
$ cd ~\chef-repo
$ ruby -c .\cookbooks\cert-QValent\recipes\qvalent-bit.rb
$ foodcritic .\cookbooks\trendMicro\recipes\*
$ knife cookbook test newrelic-config
$ knife cookbook upload newrelic-config
Modify role and include new recipe
$ vim .\roles\portalapps.json
>> "recipe[newrelic-config::update_config]"
Upload Role
$ knife upload .\roles\portalapps.json
Assign Role to Nodes
$ knife node list
$ knife node edit sit9-portalapps-ip-0a9a1670
Download cookbook from supermarket
$ knife cookbook site download
Vagrant Cheatsheet
Setting up new system
-Install VirtualBox
-Install Vagrant
- $ vagrant plugin install vagrant-vbguest
- $ vagrant box add hashicorp/precise64 (centos/7)
-Create Vagrantfile (see below)
- $ vagrant up
Debuggin issues
$ set VAGRANT_LOG=info
$ vagrant up
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "hashicorp/precise64"
config.vm.network "public_network"
end
Set regional settings to Australia (Powershell)
# Script to configure language settings for each user
#Write settings to reg key for all users who logon to machine
#$RegKeyPath = "HKU:\Control Panel\International"
# Import 'International' module to Powershell session
Import-Module International
#Set Location to Australia
Set-WinSystemLocale en-AU
Set-WinHomeLocation -GeoId 0xC
# Set regional format (datetime etc.) to English (Australia) - this applies to all users
Set-Culture en-AU
# Check language list for non-US input languages, exit if found
#$currentlist = Get-WinUserLanguageList
#$currentlist ForEach-Object {if(($_.LanguageTag -ne en-AU) -and ($_.LanguageTag -ne en-US)){exit}}
# Set the language list for the user, forcing English (Australia) to be the only language
Set-WinUserLanguageList en-AU -Force
Set-WinCultureFromLanguageListOptOut 0
Chef cheatsheet
Creating cookbook
cd ~/chef-repo
knife cookbook create newrelic-config /OR/ cd cookbooks; chef generate cookbook newrelic-config
cd cookbooks/newrelic-config/recipes
touch update_config.rb
notepad update_config.rb
[...Author Recipe.....]
Upload cookbook
cd ~\chef-repo
foodcritic .\cookbooks\trendMicro\recipes\*
knife cookbook test newrelic-config
knife cookbook upload newrelic-config
Modify role and include new recipe
vim .\roles\portalapps.json
>> "recipe[newrelic-config::update_config]"
Upload Role
knife upload .\roles\portalapps.json
Install a .CER file on Windows with PowerShell
$S3BucketName="myinfrastructure"
$tDir = "C:\source"
$S3file="ip-0a901597.cloud.example.com.au.cer"
$Key="certificates/Prod/$S3file"
$targetPath="$tDir\$S3file"
Read-S3Object -BucketName $S3BucketName -Key $Key -file $targetPath
Import-Certificate -FilePath $targetPath -CertStoreLocation Cert:\LocalMachine\My
Hardened CIS AWS AMI
I had a need to create a hardened (CIS) base image for a project.The AMI created from this project was not used directly, but rather as a base image to other application-specific Stacks.
The following is a Packer file:
{
"variables": {
"aws_access_key": "",
"aws_secret_key": "",
"aws_region": "{{ env `AWS_DEFAULT_REGION` }}",
"bitbucket_branch": "",
"bitbucket_buildnumber": "",
"bitbucket_commit": "",
"bootstrap_commit": ""
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "ap-southeast-2",
"vpc_id": "vpc-1cceEXAMPLE8178",
"subnet_id": "subnet-b8fEXAMPLE1e0dc",
"associate_public_ip_address": true,
"ssh_private_ip": false,
"ssh_pty": true,
"source_ami": "ami-240EXAMPLEef546",
"instance_type": "c4.large",
"ssh_username": "ec2-user",
"ami_name": "CIS-AWSLinux-Base {{isotime | clean_ami_name}}",
"ami_users": ["<Account_Number>"],
"launch_block_device_mappings":[{
"device_name":"/dev/xvda",
"volume_size":30,
"volume_type":"gp2",
"encrypted":false,
"delete_on_termination":true
}],
"tags": {
"OS_Version": "AWSLinux",
"Name": "CIS-AWSLinux-Base",
"Timestamp": "{{timestamp}}",
"AMI_Branch": "{{user `bitbucket_branch`}}",
"AMI_Build_Number": "{{ user `bitbucket_buildnumber`}}",
"AMI_Commit": "{{ user `bitbucket_commit`}}",
"Bootstrap_Commit": "{{ user `bootstrap_commit`}}"
}
}],
"provisioners": [{
"type": "shell",
"inline": [
"sleep 30",
"sudo bash -c 'echo export PATH=\\$PATH:/opt/aws/bin/ >> /etc/profile'",
"sudo yum clean all",
"sudo yum -y update",
"sudo yum -y install epel-release",
"sudo yum install -y libselinux libselinux-utils libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils awslogs",
"sudo sh -c 'selinux=1 security=selinux enforcing=1'",
"sudo sh -c 'touch /.autorelabel'",
"sudo cp -prv /boot/grub/menu.lst /boot/grub/menu.lst.default",
"sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /boot/grub/menu.lst",
"sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /etc/grub.conf",
"sudo yum -y install augeas git python36 python-pip36 bc unzip wget telnet jq nfs-utils",
"sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm",
"sudo pip install pystache argparse python-daemon requests",
"sudo pip install --upgrade pbr",
"sudo pip install --upgrade pip",
"sudo mkdir /efs",
"sudo chmod 755 /efs",
"sudo sed -i 's/^server/#server/g' /etc/ntp.conf",
"sudo sed -ie \"\\$aserver 169.254.169.123 prefer iburst\" /etc/ntp.conf",
"sudo sed -i 's/daemon//g' /etc/init.d/ntpd",
"sudo sed -i 's/$OPTIONS//g' /etc/init.d/ntpd",
"sudo rm -f /root/.ssh/authorized_keys"
]
}],
"post-processors": [
[{
"type": "manifest",
"output": "manifest.json",
"strip_path": true
}]
]
}
Build as follows:
packer build -var bitbucket_commit=${MAINCOMMIT} -var chef_commit=${CHEFCOMMIT} -var bootstrap_commit=${BOOTSTRAPCOMMIT} -var bitbucket_branch=${BITBUCKET_BRANCH} -var bitbucket_buildnumber=${BITBUCKET_BUILD_NUMBER} packer.json