Updating repository lists and keyrings for Kali Linux on Amazon Web Services

I was recently launching an instance of Kali Linux (1.0.6 | 64-bit Amazon Machine Image (AMI) | Updated: 10/10/14) in Amazon Web Services and as the image only provides the Kali package repository (as per the description”bare-bones”) I was looking to install the complete system (apt-get install kali-linux-full) from the available packages.

However, on invoking the installation of the package from the repository I was presented with several response codes stating the repository list(s) could not be found and GPG invalid signatures.

In order to resolve the issue I replaced my list of current repositories (creating a backup first!) and included the below repository items into a new /etc/apt/sources.list file, installed all the necessary keyrings and updated the repository list.

cp /etc/apt/sources.list /etc/apt/sources.list.backup
echo "deb http://http.kali.org/kali sana main non-free contrib" >> /etc/apt/sources.list
echo "deb http://security.kali.org/kali-security sana/updates main contrib non-free" >> /etc/apt/sources.list
apt-get install kali-archive-keyring
apt-get update
apt-get install kali-linux-full

Now I was able to install the complete system for Kali Linux, so sit back and have a coffee this process may take a while!

Advertisements

Enabling Detailed Billing Report (with resources and tags) in AWS Billing Preferences

In order to provide an hourly grain view of your AWS usage and charges by resource and tags you will be required to enable detailed billing with your AWS account billing preferences.

In order to do so there are a couple of pre-requisites you will be required to enable with the billing preferences (https://portal.aws.amazon.com/gp/aws/developer/account/index.html?ie=UTF8&ie=UTF8&action=billing-preferences).

Firstly, you will need to sign up and enable Monthly Reporting to generate detailed statement of your AWS usage.

Secondly, you will need to sign up and enable Programmatic Access. This requires for you to create an Amazon S3 Bucket to publish estimated and month-end Billing Reports.

Once Amazon S3 Bucket has been created you will need to enable a bucket policy to enable reports to be published, the sign up process provides a sample policy as below:

{
    "Version":2008-10-17"
    "Id": "Policy1335892530063",
    "Statement": [
          {
             "Sid": "Stmt1335892150622",
             "Effect": "Allow",
             "Principal": {
                    "AWS": "arn:aws:iam::386209384616:root"
             } 
             "Action": [
                      "s3:GetBucketAcl",
                      "s3:GetBucketPolicy"
             ],
             "Resource": "arn:aws:s3:::"{BUCKETNAME}"
          },
          }
             "Sid": "Stmt1335892526596",
             "Effect": "Allow",
             "Principal": {
                    "AWS": "arn:aws:iam::386209384616:root"
             },
             "Action": "s3:PutObject",
             "Resource": "arn:aws:s3:::{BUCKETNAME}/*"
          }
     ]
}

Once, you have saved the bucket name and the bucket policy has been verified the Detailed Billing Report will be enabled.

Updates to the AWS Management Console and Provisioned IOPS

After being away from the office for a few days, I noticed today that there is a updated user interface to the Amazon Web Services console.

In addition to the updated user interface a number of updates have been included for the Launch Instance Wizard.

Configuring Instance VPC and Subnet Details

On configuring your instance you may now select your VPC and Subnet details from an existing configuration or if required create a new VPC and/or subnet from the wizard.

ScreenHunter_435 Oct. 14 22.24

Search for snapshot when adding a new EBS volume

On adding storage, you may now search for a snapshot to create the EBS volume

ScreenHunter_430 Oct. 14 22.04

Search for EBS tags and values 

As you type, you may now search for existing tags and values and select from a list.

ScreenHunter_431 Oct. 14 22.07

Security Groups 

You may not view the rules for a particular security group before assigning to your instance as well as copying the rule set of an existing security group and if required modify the rules.

ScreenHunter_433 Oct. 14 22.12

One other notable change which occurred in the past week has been to provisioned IOPS and the ratio to capacity. Previously, this was configured as 10:1, now the ratio of IOPS to capacity has been increased to 30:1. So previously when a 100 GB EBS volume  could only provide a 1,000 IOPS, you can now obtain 3,000 IOPS from the same size EBS volume.

 

Using Best Practices checks with CloudCheckr

In the next couple of articles I will be writing I am going to be looking at Resource Control, Cost Optimisation and Best Practice features provided by CloudCheckr (cloudcheckr.com) and how I hope to use them in managing a deployment in Amazon Web Services.

Once you have registered for your CloudCheckr account (see https://deangrant.wordpress.com/2013/09/13/receive-extended-free-trial-of-cloudcheckr-pro/, for an extended trial) and performed the initial creation of a project and collection of your deployment, you can now start to take advantage of the various reports generated from your project.

The first report I will be looking at is the Best Practice report, which takes a detailed look at your deployment to ensure your infrastructure is configured as per each best practice check and provides a status.

The results are categorised into four sections; Availability, Cost, Security and Usage and may be filtered by importance and/or tag.

ScreenHunter_428 Oct. 14 14.40

The items in your report will be categorised with icons and colours to the severity of the status, as below:

  • Red = High
  • Orange = Medium
  • Yellow = Low
  • Blue = Informational
  • Green = No issues found

ScreenHunter_429 Oct. 14 14.48

Each issue generated allows you to either export the information to a CSV file, ignore the issue (maybe I have no DynamoDB clients and do not wish to report this status) or  to check the details of that particular alert.

Checking the details of the issue is really useful and provides a drill through interface to view each issue for that particular alert. For example, for EBS volumes without a snapshot I can not only view each snapshot reporting this status but further investigate the Volume ID to view the details such as Status, Cost Per Month, Availability Zone and the Instance this is attached to.

There are over 100 best practice checks performed and therefore far too many for me to mention in this article.

Also, a feature I do like is the email notification service which will notify you or any new issues discovered since the previous day and provide those details. Previous, best practice tools I have used generally produce static information with no previous history or comparison.

So which alerts did I find most useful?

Ultimately, the question I get asked is how much is this costing and how can we reduce the monthly spend? If you are using your deployment for Development it can become quite easy to have a number of instances and volumes that become idle or unused.. The best practices report will identify these resources and produce a 30 day trend for those idle instances.

One common mistake can also be creating under utilised resources, the usage report will help to identify any under utilised EBS volumes and EC2 instances and allow you to drill through to the resource and display a number of metrics as well as cost to help you determine the correct resource type to select.

The security checks provide a good detailed list of best practices to follow, this will detail information such as security groups that allow traffic from any IP address, all ports and potentially dangerous ports exposed. There are also a number of IAM security checks, such as password policies and mult-factor authentication configuration issues.

Availability alerts can provide a list of EC2 volumes that currently have no snapshots (previous 7 days) which in my case can highlight volumes that have not been configured correctly as snapshots are performed based on tagging of the resource. Also, if you protect instances with termination protection those instances without this option enabled will be highlighted.

In terms of providing high availability within your deployment a number of availability alerts can help to identify issues such as unhealthy instances within Elastic Load Balancers and Multi Availability Zone distribution.

For more detailed information, in regards to using the best practice reports see http://support.cloudcheckr.com/best-practices-detail-report/.

Making a start on reducing spend on AWS…

As part of ongoing monitoring an optimization of the Amazon Web Services (AWS) platform, I am beginning to more actively monitor cost control which can highlight a number of common mistakes with usage of the AWS platform.

Whilst, looking at a number of third party monitoring and resource control solutions, investigating and developing techniques internally all which I hope to blog about in the future there is a number of resources available online, that can help point you in the right direction and help to avoid any gasps at unexpected usage bills, reduce the amount of time you spend analyzing AWS usage data and help you make the correct decision when choosing resource types.

Probably, the first point of call should be looking at techniques to reduce your overall spend. Below, is a webcast from the official AWS YouTube Channel (http://www.youtube.com/user/AmazonWebServices?feature=watch) on how to help reduce your overall spend detailing cost saving strategies and sizing your applications within AWS.

Patch Management with Windows Update Server and WuInstall

I was recently looking to schedule approved updates from Windows Update Server and schedule updates with finer granularity than those provided by the Windows Update Services client. I discovered a command line utility called WuInstall  (http://www.wuinstall.com/index.php/en) which allows for updates to be installed on demand.

As part of this solution, I still required updates to be approved by my Windows Update Server and to be automatically downloaded by the Windows Update Services client on a daily basis.

I created a group policy object and linked to the organisational unit containing the clients and set the following group policy object settings:

Setting State Options Description
Configure Automatic Updates Enabled 3 – Auto download and notify for install Specifies that the instance will download approved updates from the WSUS server, but will only notify for install.
Specify intranet Microsoft Update Service location Enabled http://<name of WSUS server> Specifies the WSUS server as the intranet server to host updates.
Allow non-administrators to receive update notifications Disabled N/A Specifies that only administrators receive update notifications.
Enable client-side targeting Enabled <name of target group> Specifies the target group for the instances to receive updates.

Once the approved updates have been downloaded, the command line utility WuInstall will manage the schedule and installation.

As previously mentioned, WuInstall is a command line tool that allows the installation of Windows Updates on demand and can use the internal WSUS server to discover approved updates.

In the case of a single server, the executable can be downloaded and run with a number of command line arguments, in my case the following are to be used:

WuInstall.exe /install /autoaccepteula /reboot_if_needed /logfile <path to log file>
Usage Description
/install Searches, downloads and installs available updates.
/autoaccepteula Automatically accepts EULA on every update.
/reboot_if_needed Only restarts the instance if needed.
/logfile Creates log file

However, I was required to run the following against a number of servers. The command utility WuInstall supports the use of PSExec to run agaisnt multiple servers (http://www.wuinstall.com/index.php/faq#psexec) and therefore this was the mechanism used to launch the executable from a central management server to invoke the command on each remote server, with the following command line arguments:

PSExec.exe -c -f -s \\Server\Share\WUInstall.exe /install /autoaccepteula /reboot_if_needed /logfile <path to log file>
Usage Description
-c Copies the specific program (WuInstall.exe) to the remote instance for execution.
-f On copying the specific program overwrite the file is this already exists on the remote system.
-s Run remote process in the System account.

Now a further requirement was introduced in that updates were required to be installed on all servers in a particular environment and prior to the updates being installed a snapshot of the root device performed (Amazon Web Services). Therefore all the above would be compiled into a Windows Powershell script and

Param ([string] $Environment)

As the script was to be run against a number of environments, , the script defined parameters for the Environment name, which were called with the Environment argument. The script would required importing the Powershell for Amazon Web Services ((http://aws.amazon.com/powershell/) snap-in to the current powershell session.

If (-not (Get-Module AWSPowershell -ErrorAction SilentlyContinue))
{ 
Import-Module "C:\Program Files(x86)\AWS Tools\Powershell\AWSPowershell\AWSPowershell.psd1" > $null
}

As previously mentioned I have a collection of AWS EC2 instances (not a particularly large environment) to which I want to install the updates agaisnt, therefore this was represented as a collection in a hashtable to contain the information I required the InstanceID, VolumeID of the root device (/dev/sda1) and server name, below is an example of what this would look like;

$Instances = New-Object System.Collection.Generic.List(System.Collections.Hashtable)
$Instances.Add(@{"instanceid"="i-xxxxxxx1";"volumeid"=vol-xxxxxxx1";"name"="xxxxxxxxDEMxxx"})
$Instances.Add(@{"instanceid"="i-xxxxxxx2";"volumeid"=vol-xxxxxxx2";"name"="xxxxxxxxPRExxx"})
$Instances.Add(@{"instanceid"="i-xxxxxxx1";"volumeid"=vol-xxxxxxx1";"name"="xxxxxxxxPRDxxx"})

Once the instances have been listed as a collection we are required to run a loop process to return each instance name and then filter the environment using the substring method as conditional logic, where the naming convention contains the environment name in the 8th, 9th and 10th character of the hostname.

ForEach ($Instance in $Instances)
{
$String = $Instance.Name.ToString().Substring(8,3)
If ($String -eq $Environment)

Once this instances have been returned for the environment, the following is performed against each instance returned in the filter:

  • Stop the EC2 Instance
  • Once stopped perform an EC2 snapshot of the VolumeID specified in the collection and add the description: <Host Name>: WIndows Update on ddMMyyyy_HHmm
  • Once the EC2 snapshot is complete, start the EC2 instance.
  • Once the EC2 instance is running Invoke WuInstall to install the approved updates.
{ 
Stop-EC2Instance $Instance.instanceid 
Do { 
$EC2Instance = Get-EC2Instance -Instance $instance.instanceid  
$State = $EC2Instance.RunningInstance| ForEach-Object {$_.InstanceState.Name}
{
Until ($State -eq "stopped")
New-EC2Snapshot -VolumeID $instance.volumeid -Description ($instance.name + ": Windows Update on " + $Date)
Do { 
$SnapshotStatus = (Get-EC2Snapshot | Where-Object {$_.Description -eq ($instance.name + ": Windows Update on " + $Date)}).status
}
Until ($SnapshotStatus -eq "completed")
Start-EC2Instance $instance.instanceid
Do { 
$EC2Instance = Get-EC2Instance -Instance $instance.instanceid  
$State = $EC2Instance.RunningInstance| ForEach-Object {$_.InstanceState.Name}
}
Until ($State -eq "running")
Start-Sleep -Seconds 300 
$Hostname = $instance.Name
$Command =  "& 'C:\Program Files\SysinternalSuite\PsExec.exe' \\$Hostname -c -f -s \\Server\Share\WUInstall.exe /install /autoaccepteula /reboot_if_needed /logfile \\Server\Share\Logs\logfile.log"
Invoke-Expression $Command
}
}

A couple of issues I experienced with the script, was that when the EC2 instance was reported as running the instance would not be contactable as the status checks had not been completed, so a the script is therefore suspended for a period of five minutes as a workaround.

There is currently a known issue with Powershell for Amazon Web Services snap-in (3.0.512.0) where the Get-EC2InstanceStatus cmdlet fails to return stopped instances. This requires a workaround to be performed where the instance state is returned using the Get-EC2Instance cmdlet and returning the value of the RunningInstance.InstanceState.Name object.

I plan to update this script to remove the dependency on a collection as a hashtable and return this information using the Powershell for Amazon Web Services Tools snap-in. Also, I will hopefully address the issue of reporting the EC2 instance as being in a running status where the status checks have not completed and remove the need to suspend the script.

The script will require AWS credentials to run the various cmdlets above, in this process I store the credentials on the local computer where the scheduled task is invoked.

The full Windows Powershell script can be downloaded from the below link:

https://app.box.com/s/7t2b5zqgbp4kus34rtwf

Return AWS Service Health Dashboard details to Nagios

I was recently looking into returning service details from the AWS Service Health Dashboard to Nagios where any service issues would be reported as a critical state and remain with this status for the duration of the publication date.

I was able to do this by using the Invoke-RestMethod in Windows Powershell by querying a particular services RSS feed.

As the script was to be run against a number of different AWS services , I did not want to create multiple scripts as well as multiple services within Nagios. Therefore, the script defined parameters for the RSS feed, which were called with the RSS argument.

The RSS argument would be the filename of the services RSS file, as the URL for each service status would always contain http://status.aws.amazon.com/rss/. We will also specify the current date as a variable for later comparing to the publication date of the link,

Param ([string] $RSS)
$Date = (get-date).toString('dd MMM yyyy')

Once the RSS parameter is specified we can build the string to query the URL of the RSS feed using the Invoke-RestMethod. As querying the RSS feed returns multiple links we will also need to return the most recent link using the select-object cmdlet.

$url = Invoke-RestMethod -Uri "http://status.aws.amazon.com/rss/$RSS.rss"   | Select -first 1

Once we have returned the link, we want to check the publication date to determine if this is from the current day and if so return this to be a critical status to Nagios and return the description to be the service status.

If ($url.pubdate -like "*" + $Date + "*")
{ 
$returncode = 2
$url.description 
}

If the publication date is not the current date we want to return this as an OK status to Nagios and return the service status as returning as normally.

Else
{ 
$returncode = 0
"Service is operating normally"  
}

Finally, we will exit the powershell session returning the exit code.

exit $returncode

An example of executing the above script to query the ‘Amazon Virtual Private Cloud (Ireland)’ service which has the URL of http://status.aws.amazon.com/rss/vpc-eu-west-1.rss, the script would be run as the below:

./Read-AWSServiceHealthDashboard.ps1 -RSS vpc-eu-west-1

While the script was created to be executed as an external script within Nagios, this can be run standalone from Windows Powershell. If your are looking to add external scripts to Nagios such as this one see the below link for more information;

https://deangrant.wordpress.com/2013/09/12/creating-and-running-external-scripts-within-nagios-xi/

The full Windows Powershell script can be downloaded from the below link:

https://app.box.com/s/848trplqvu9v8f6um84m