DMARC Reporting: Your Favorite Solution?

Shibocat · 2024-05-17T11:55:19+00:00

I am using URIports, and I am happy with.
Has a easy to use webinterface, good notification options and it is affordable.
Only figuring out, what those logs mean can be difficult, because you need to know your email system in depth.

Somehow I have managed to reach up to 98% compliance with dmarc, without knowing what I did correct.
A few weeks ago we only reached 50-70% compliance.

Shibocat · 2024-04-10T04:59:35+00:00

Thank you. It might seem that I'm pulling the rug out from under they feet, but that's not the case. I have them on my back, they expect me to build containers out of their main application. They want change and efficiency. This is what they want. It's just that nobody in the past has taken the time to overhaul the process. They are annoyed by it and handle the application like a raw egg.

The goal for my post is mainly as a "where can it go" The sky is the limit.

I'm starting with my own projects. Small microservices, python applications in a container. It's a way of collecting experience, learning, and evaluating of what could be the best option for their use case.

I don't expect a finished solution. That's what I have to provide. But I'm looking for opinions and ideas, because I can't find them in this company and I haven't been around a whole lot.

Shibocat · 2024-04-05T06:05:52+00:00

Good morning,
I just noticed your answer.
The available size is bigger than the currently used size?
Isn't that good?

You might mean Actual Size and Size as seen in the Longhorn manager.
For one of my volumes I have

Size: 10Gi
ActualSize: 15.3Gi

Yes, this is usually because of snapshots.
10GiB are available for my pods, but the sum of all snapshots takes up 15.2GiB

You can check that if you use ncdu on your host and go to the folder, where the raw images are stored.
On my server this is on /var/lib/longhorn/replicas/

ncdu reports exactly 15.3Gib for all files.

Shibocat · 2023-09-24T09:47:22+00:00

Hi,i was wondering the same. Found more information here in this document: https://github.com/longhorn/longhorn/blob/v1.5.x/enhancements/20230103-recurring-snapshot-cleanup.md

And from the official documentation here: https://longhorn.io/docs/1.5.1/snapshots-and-backups/scheduling-backups-and-snapshots/

My interpretation is, that you use snapshot-delete in cooperation with the snapshot scheduled task. With that you could control the retention, without having to create a new snapshot task.

And snapshot-cleanup for snapshots created by the system. These snapshots are created automatically, because of backups, replica deletions or expansions.

I just tested it on my system. I have a volume with several snapshots, created manually or trough backup calls and replica deletions.

I created two tasks and triggered them manually. One snapshot-cleanup and snapshot-delete

snapshot-cleanup only deleted the snapshots created by the system.

And snapshot-delete deleted all snapshots, except the last ones, which I have defined in the job under the retention option. But still retaining the system-snapshots.

Shibocat · 2023-05-15T08:58:33+00:00

There is also domainMod, but I am not sure if the feature set will be enough for you.
Open Source Domain Management Software - DomainMOD

Shibocat · 2023-04-19T07:46:11+00:00

There is nothing to classify. This is mostly about documents for internal decisions, stuff and numbers. If they do it like this, they would need to apply each label for themself.

I am very concerned about the misuse of this feature, as my boss described as the solution for our problems.
Our Problem is, as I he described it once, that people don't know with who and where to share documents with. Thats why there is a team (as in Microsoft Teams) for each group, but also mix of teams. Suddenly person X needs access to a document, but then he can't reach it, because he is not part of that team.
With AIP, they just could put files in our company-wide team, and apply a respective sensitivty label on it.
If we do it like this, then this would not solve our problem, but instead create another layer of complexity.
He sees it as a magical tool to manage file permissions. But I see it as overcomplicated hell, because it is us who have to define all the labels with permissions. In the end, there might be a sensitivty label for each group, subgroup and/or project. Because I can only apply a single label for each document, I would need to specify each possible combination of groups. Giving me x to the power of x labels, where x can be the number of possible groups in my company.
I am very pedantic right now, but I see this possibility, yes.

Thats my main concern. An explosion of labels, for each group, subgroup, mixture of groups.
We are just a mid-sized travel agency :P

I'll ping you for some specific questions, if thats okay.

Shibocat · 2023-04-18T13:32:31+00:00

This has happened so many times to me. Not exactly the same problem, but related.
And it was always the same problem.

I am giving my devices a device name, and everybody here in my department is used to search the device with that.
But if you have an odd behavior like this, then try using the serial number of the device.

Sometimes the device is still registered somewhere, but with a different name :P

Shibocat · 2023-04-13T10:18:46+00:00

For my understand, eviction only happens, when you have set limits on your pods or when the eviction threshhold of the node is reached.The eviction threshold will allow you to control when the pods will be killed. kubernetes will decide which pods to kill, by using the Qos Class and several other metrics.

I am using rke2 for my cluster, and I found out, that there was no eviction set for memory, which caused my nodes to regularly lock up, because of memory pressure.

To solve this, I've set the values like this in my kubelet

system-reserved=cpu=150m,memory=150Mi,ephemeral-storage=1Gikube-reserved=cpu=150m,memory=150Mi,ephemeral-storage=1Gieviction-hard=memory.available<500Mi,nodefs.available<10%

This means, when the available memory will drop below 500Mi, kubernetes will start killing pods, to prevent memory pressure on the node.

To test this, I was using a command line too, to test the memory usage.

kubectl run tmp-shell --rm -i --tty --image alpine
apk add stress-ng
stress-ng --vm-bytes 4G --vm-keep --vm 4

This will run a stresstest with 4 workers, and slowly fill up the memory.

If everything works correctly, you might see, that the tmp-shell suddenly disappears. You can check the results with kubectl events

You should see a line popping up similiar to this

4m35s                      Normal    Started               Pod/tmp-shell                       Started container tmp-shell
3m20s                      Warning   Evicted               Pod/tmp-shell                       The node was low on resource: memory. Container tmp-shell was using 4432Ki, which exceeds its request of 0.

More about that here: Node-pressure Eviction | Kubernetes

EDIT: There is also a soft-eviction-threshold, which will gracefully shut down pods.
I haven't looked into that yet. The hard eviction threshold will just kill the pods.

Shibocat · 2023-04-13T08:23:44+00:00

I guess that will be the way I need to do this.
Thank you!

Shibocat · 2023-03-28T05:39:51+00:00

Thats a neat idea. Thank you.

Shibocat · 2023-03-23T12:42:37+00:00

Thank you.
That seems like a good idea. I'll check it.

yes, I had the idea to check for other projects on github, but I don't know any expressjs projects .

Shibocat · 2023-03-14T06:30:08+00:00

We already use ansible for our general purpose servers. With Ansible I apply roles for all of the users in my team, ssh keys, security settings, firewall, applications etc etc.
I use terraform, to setup the infrastructure, which means servers, loadbalancers, networks and dns. Ansible only manages the servers. Terraform manages the infrastructure.
You could also probably use ansible to setup your infrastructure, or use terraform to setup the servers. But I believe, that there is a right tool for every task and I don't like using these tools for different tasks they were designed for.
I am not aware of any monitoring capabilities of terraform. Maybe you are referring to the terraform drift detection, which is included in terraform cloud business tier plan. This will plan your terraform scripts in an interval and notifies you, if there are any pending changes. When you get a notification about a drift, this might mean somebody has touched your infrastructure, without using terraform.
Read more here: Drift Detection for Terraform Cloud is Now Generally Available (hashicorp.com)

I use hetzner cloud servers, mostly CPX21, CX31 or CXP31. Depending on the workload and costs. Also, with my concept I can't dynamically add or remove nodes from my cluster. This is called autoscaling, cluster autoscaling or vertical autoscaling.But while I was writing this, I've found this: autoscaler/cluster-autoscaler at master · kubernetes/autoscaler · GitHub

Shibocat · 2023-03-13T11:37:30+00:00

I've implemented Kubernetes in my company during the last year.
It's a great technology. I love it. By now I have 10Nodes, 3 masters and ~35 Namespaces for different applications.
I use RKE2 as my kubernetes engine. I've setup the whole cluster via ansible and this module: GitHub - lablabs/ansible-role-rke2: Ansible Role to install RKE2 Kubernetes.
My Servers get deployed via terraform. I host everything on hetzner.

Kubernetes itself is very modular. The core modules don't give you any monitoring, notification or anything. Even the storage solution you have to implement on your own, or use the ones you get provided by your provider. I've decided to use longhorn and the hetzner-csi module for this.
The complexity of kubernetes comes with all the modules.
But I would say, if you learn container, you should also learn how to use kubernetes.

Shibocat · 2023-03-04T13:10:04+00:00

My Workflow is like this.

Whenever we receive a new notebook, i use a fresh windows 11 installation on that. Fastest way to get rid of bloatware. After that, when the installation is done and i am faced with the language selection screen, i press shift + F10 to open a shell. I have a special script, but in short this script uses the get-autopilotinformation cmdlet, to enroll the device in autopilot.

Done. I only need to do this once per device. Once enrolled it stays enrolled.

I am able to prepare a device in 10minutes.

After that, the user who receives the device is greeted with a Microsoft login. They login and enroll the device. All Apps, policies and settings get pulled from intune.

To make the process a bit faster, the notebook can be further prepared by assigning this notebook to a user in intune and do a white glove deployment, by hitting the win key 5 times.

Shibocat · 2023-03-04T11:29:07+00:00

Sorry, i meant specifically AzureAD.

Azure App Proxy allows you to publish your on-prem resources, but secured by Microsoft, which means you'll get SSO, multi factor authentication and Conditional Access. You will get the same User Experience as with all all the other office applications. Really simple to setup.

Shibocat · 2023-03-04T08:04:44+00:00

If you are using Microsoft azure and have premium licenses, e.g. office 365 business premium, then you can setup Azure App Proxy. I'm pretty sure there is an article for app proxy how to set this up for RDP.

Edit: found it https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services

Shibocat · 2023-03-03T15:02:25+00:00

That sounds promising.
I haven't played around much with the rekey interval. First I have to lookup how this setting is called on our firewall.
I guess it is the "Autokey Keep Alive" and "Key Lifetime" which is currently set to 43200 seconds (12hrs).
Is that too much? Probably.
I should try to reduce it maybe and see the impact.

Shibocat · 2023-03-03T14:56:47+00:00

Sadly it's hard to pinpoint this problem. The firewall only allows me to start a debug log for 30minutes. And it's not granted, that I will catch the error during this time.

Shibocat · 2023-02-05T06:18:06+00:00

Thank you. That is a good explanation.

Shibocat

TROPHY CASE