View
68
Download
2
Category
Preview:
Citation preview
IRMA(Incident Response and Malware Analysis)
https://github.com/quarkslab/irma
Private platform (as it's open-source)
Multi-Analysis engine
Extendable
What's Ansible?Agentless Automation platform (and Open-source)
Use SSH to access servers/…
Run tasks (written in yaml) in sequence
Where's the problem?Role example:
- name: Install Software shell: curl http://get.mysoftware.com | sudo bash
CVE-2016-9587CVE-2016-9587 is rated as HIGH in risk,
as a compromised remote system beingmanaged via Ansible can lead to
commands being run on the Ansiblecontroller (as the user running the ansible
or ansible-playbook command).
How to connect to a Vagrant box out-of-the-box?
At �rst it was a good idea to set up some common SSH keys...
Best practice from mitchellh:( )https://github.com/mitchellh/vagrant/tree/master/keys
“If you're working with a team orcompany or with a custom box and you
want more secure SSH, you should createyour own keypair and con�gure theprivate key in the Vagrant�le with
'con�g.ssh.private_key_path'.”
I'll use Packer, and even more, boxcutter because they're sofamous!
But I shouldn't have... because of that: $ cd boxcutter/debian/script && grep http: *
cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSIONcmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}
$ vagrant box add ubuntu/trusty64 ==> box: Loading metadata for box 'ubuntu/trusty64' box: URL: https://atlas.hashicorp.com/ubuntu/trusty64 ==> box: Adding box 'ubuntu/trusty64' (v20170208.0.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/ubuntu/boxes /trusty64/versions/20170208.0.0/providers/virtualbox.box ==> box: Successfully added box 'ubuntu/trusty64' (v20170208.0.0) for 'virtualbox'!
From https://www.vagrantup.com/docs/cli/box.html
“For boxes from HashiCorp's Atlas, thechecksums are embedded in the
metadata of the box. The metadata itselfis served over TLS and its format is
validated.”
Fromhttps://www.vagrantup.com/docs/boxes/format.html
“You do not need to manually make themetadata. If you have an account with
HashiCorp's Atlas, you can create boxesthere, and HashiCorp's Atlas
automatically creates the metadata foryou.”
Fromhttps://www.vagrantup.com/docs/boxes/format.html
It is a JSON document, structured in thefollowing way:”
{"name": "hashicorp/precise64", "description": "This box contains Ubuntu 12.04 LTS 64-bit.", "versions": [{ "version": "0.1.0", "providers": [{ "name": "virtualbox", "url": "http://somewhere.com/precise64_010_virtualbox.box" "checksum_type": "sha1", "checksum": "foo" }]}]}
Great, I like that, so I should �nd it here for example on:
Nope...
https://atlas.hashicorp.com/ubuntu/boxes/trusty64.json
Erf, let's look into some Hashicorp box instead on
Still nope...
https://atlas.hashicorp.com/hashicorp/boxes/precise64.json
Let's try one last thing...$ cat imdesperate.json {"name": "hashicorp/precise64", "versions": [{ "version": "1.1.0", "providers": [{ "name": "virtualbox", "url": "https://atlas.hashicorp.com/hashicorp/boxes/pre\ cise64/versions/1.1.0/providers/virtualbox.box", "checksum_type": "sha1", "checksum": "imdesperate"}]}]}
$ vagrant box add imdesperate.json ==> box: Loading metadata for box 'imdesperate.json' box: URL: file:///home/user/imdesperate.json ==> box: Adding box 'hashicorp/precise64' (v1.1.0) for provider:\ virtualbox box: Downloading: https://atlas.hashicorp.com/hashicorp/box\ es/precise64/versions/1.1.0/providers/virtualbox.box ...
... box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file.
Expected: imdesperate Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40
We did it better
GPG signed checksums dataMetadata �les served over TLS with checksuminformation
https://github.com/quarkslab/packer-ubuntu#security
You can save a bunch of minutes with o�ine mode!No more latencyNo more bandwidth bottleneckNo more side-effect
Pip dependenciesFreeze speci�c versions and do not upgrade unlessyou check the new versionsDo not download exotic packages even from PyPiDo not rely on Github repos or things like thatUse of�ine package
$ mkdir toto $ pip install -d ./toto mypackage #move the folder on the offline node $ pip install --no-index --find-links ./toto mypackage
Apt dependenciesJust use
It will be:
QuickierMore secureMore stable
https://packages.debian.org/jessie/apt-of�ine
Recommended