hardening | security research team | Security library

TLDR: I'm having trouble with setting up CSP for NextJS using Material-UI (server side rendering) and served by Nginx (using reverse proxy).

Currently I have issues with loading Material-UI stylesheet, and loading my own styles

using makeStyles from @material-ui/core/styles

NOTE:

• followed https://material-ui.com/styles/advanced/#next-js to enable SSR
  • https://github.com/mui-org/material-ui/tree/master/examples/nextjs
• I looked at https://material-ui.com/styles/advanced/#how-does-one-implement-csp but I'm not sure how I can get nginx to follow the nonce values, since nonce are generated as unpredictable string.

default.conf (nginx)

I would like to be able to use a Google Cloud Composer cluster to launch kubernetes pods from its DAGs onto a separate GKE Autopilot cluster instead of onto the GKE cluster of Cloud Composer.

I have created a GKE autopilot cluster with "control plane global access" set to disabled and only allowing certain authorised networks to connect to the control plane. (based on the recommended security best practices in the documentation)

My pods all fail to launch with the following error message:

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='3X.XXX.XXX.XX6', port=443): Max retries exceeded with url: /api/v1/namespaces/sink/pods?labelSelector=dag_id%3Dtest_dag%2Cexecution_date%3D2021-03-17T212059.4745700000-f0b251c80%2Ctask_id%3Dtest_sync (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',)

I am using the GKEStartPodOperator which previously was able to start pods on a GKE cluster that was self managed (not autopilot) and which did not have "control plane global access" disabled.

Is there any documentation about how to setup Composer to be able to connect to a GKE autopilot cluster that is not exposing global access to the control plane and launch pods?

I am learning OpenID Connect implementation in ASP.NET Core with a Web API project. My client is currently Postman.

Context (XY problem): I want Sendgrid to report Webhook data with authentication. Sendgrid uses OAuth 2 flow. I have mocked a Sendgrid Webhook invocation on Postman to use.

I followed a few tutorials to set up authorization server, ie. the part that will issue you a token, in particular using a temporary in-memory store based on EF Core. For the moment, this solution is sufficient to me and I'll have to do more researching and prototyping before becoming production-grade for reuse in future project.

I can successfully obtain a token with Postman using hardcoded credentials. Now I want the Controller APIs to validate tokens issued by the very same server. Let me show some code:

Startup.cs

I had a following error(debian-rules-is-dh_make-template) from lintian.

How should I fix to pass the error?

The message showed me that I didn't modify debian/rules, but I already modified (I added override_dh_auto_clean:), so I guess that my debian/rules is insufficient but I can't figure out why my debian/rules is insufficient...

I'm using a Raspberry Pi 4 Model B and i want to run the Openthread Border Router application on it as a docker container. I use the command docker run --sysctl "net.ipv6.conf.all.disable_ipv6=0 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1" -p 8080:80 --dns=127.0.0.1 -dit --network test-driver-net --volume /dev/ttyACM0:/dev/ttyACM0 --name ot-br --privileged openthread/otbr --radio-url spinel+hdlc+uart:///dev/ttyACM0 to start the container. I have tried the openthread/otbr:latest and the openthread/otbr:reference-device (both pushed 10. Nov. 2020) image, both were having the same problem:

The container is started successfully, but the Web-GUI is not available and no network operation takes place. Here is the logged output of the containers if called upon with docker logs ot-br:

Basic auth is deprecated: https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

I'm authing like this (same as the docs: https://www.terraform.io/docs/providers/google/d/client_config.html):

MacOS now requires that all applications are hardened, signed and notarized. How does one sign and notarize an application created outside of XCode with a tool like PyInstaller?

I've sorted out the signing and notarization for .app files created outside of XTools. There's a really helpful thread here that shows how to add an entitlements.plist which fulfills the hardening of PyInstaller .app files. I believe this also works on command line utilities as well, but could be missing something. Submitting a .dmg containing a .app for notarization using altool will pass the tests and be notarized by Apple.

Submitting a single command line utility using the same process will also pass Notarization, but does not appear signed or notarized to the GateKeeper function on other machines. I assume this has something to do with the fact that a valid Info.plist file is not included in the PyInstaller binary as detailed in this blog post about building and delivering command line tools for Catalina.

Checking the signature of a signed file using codesign -dvv indicates that the Info.plist is "not bound".

Hello fellow Overflowers,

I have 2 Nginx Webservers in my OpenStack Enviroment. I'm trying to set up load balancing with HAProxy right now. Ubuntu 18 is the OS on all servers.

Added the backend IP's to the default config. When I try connect to my LB via Browser I get:

"503 Service Unavailable"

What I know so far:

• Backends are available when I connect directly to them.
• I opened the correct ports in the OpenStack GUI
• I checked the HAProxy logs and found the following:

In hardening our ADO projects for security, we found that an org-level user named "Azure Boards" has been granted access to all area paths. We haven't yet found documentation on this user, so we're assuming that this is a built-in user that should not be altered. However, as part of hardening we do need to understand more about this user.

The question is: Where is the documentation for the org-level ADO user named Azure Boards (if any)?

Update per comment request: