adam buxton abuxton

Example Jenkins integration for Vault

This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.

AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.

Pre-created SECRET_ID as a Jenkins secret. An out-of-band workflow will need to refresh the SECRET_ID periodically so Jenkins continues to perform AppRole logins successfully.
Alternative AppRole design: Give Jenkins the ability to refresh the SECRET_ID by itself.

1. Pre-created Secret ID

Take a consul snapshot:

consul snapshot save backup.snap

Verify consul snapshot:

consul snapshot inspect backup.snap

Stop Consul

systemctl stop consul.service

Stop Vault

How I passed the CISSP

Studying

The CISSP is a "mile wide and an inch deep." Don't learn everything. Focus on concepts. Only exception to this rule is Crypto and Physical security. Memorize that stuff.
The easeiest way to understand the test is to follow the domain structure and use it as a mental scaffolding with which you hang knolwedge.
I used a version of this book: https://www.amazon.com/Official-ISC-Guide-CISSP-Press/dp/1482262754
Reading the book is super dull and you will hate yourself if you try and read cover to cover. In fact just about every review says the same thing. The point they miss is that this book has EVERYTHING YOU NEED. That's why you should not read it all.
Take out some paper, open the book and go through each domain creating an outline of the domain > paragraph headings > 3-5 spaces for bullet points.
Leave the spaces for later. You can fill it in after your first practice exam.
After I completed outlining the book, I took a full 150 question practice e

Build Tools and Testing

Build Manager

Goal - centralized UI, and scheduler, for managing automated builds

Terraform Enterprise - HashiCorp
Jenkins - Cloudbees
TravisCI
CircleCI
Bamboo - Atlassian

	```zshrc
	#▄███████▄ ▄████████ ▄█ █▄ ▄████████ ▄████████
	#██▀ ▄██ ███ ███ ███ ███ ███ ███ ███ ███
	# ▄███▀ ███ █▀ ███ ███ ███ ███ ███ █▀
	#▀█▀▄███▀▄▄ ███ ▄███▄▄▄▄███▄▄ ▄███▄▄▄▄██▀ ███
	# ▄███▀ ▀ ▀███████████ ▀▀███▀▀▀▀███▀ ▀▀███▀▀▀▀▀ ███
	#▄███▀ ███ ███ ███ ▀███████████ ███ █▄
	#███▄ ▄█ ▄█ ███ ███ ███ ███ ███ ███ ███
	#▀████████▀ ▄████████▀ ███ █▀ ███ ███ ████████▀
	# ███ ███

	#!/bin/bash

	# start vault
	VAULT_UI=true vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200

	# login as root - DO NOT DO THIS IN PRODUCTION
	vault login root

	# write some secrets
	vault kv put secret/test color=blue number=eleventeen

	from os import environ, path
	from glob import glob
	import certifi

	# Even if we have trusted certs in our system ca certificates, requests uses it's own
	# Mine happen to live in /usr/local/share/ca-certificates
	# DON'T update the existing bundle becuase updating requests will overwrite it

	cert_dir = "/usr/local/share/ca-certificates"
	pwd = path.abspath(path.dirname(__file__))

	# Change the path below to your own audit log path.
	/var/log/vault/audit.log {
	rotate 30
	daily
	# Do not execute rotate if the log file is empty.
	notifempty
	missingok
	compress
	# Set compress on next rotate cycl to prevent entry loss when performing compression.
	delaycompress

	#!/usr/bin/env bash

	INI_FILE=~/.aws/credentials

	while IFS=' = ' read key value
	do
	if [[ $key == \[*] ]]; then
	section=$key
	elif [[ $value ]] && [[ $section == '[default]' ]]; then
	if [[ $key == 'aws_access_key_id' ]]; then