Summary1. Ansible2. Vagrant/Packer3. Going of�ine

IRMA(Incident Response and Malware Analysis)

https://github.com/quarkslab/irma

Private platform (as it's open-source)

Multi-Analysis engine

Extendable

Summary1. From one week to two days2. From two days to 6 hours3. From 6 hours to few minutes

1. From one week to two days

What's Ansible?Agentless Automation platform (and Open-source)

Use SSH to access servers/…

Run tasks (written in yaml) in sequence

Where's the problem?Role example:

- name: Install Software shell: curl http://get.mysoftware.com | sudo bash

CVE-2016-9587CVE-2016-9587 is rated as HIGH in risk,

as a compromised remote system beingmanaged via Ansible can lead to

commands being run on the Ansiblecontroller (as the user running the ansible

or ansible-playbook command).

2. From two days to 6 hours(Virtual Machines O� The

Shelf)

Vagrant

What's a Vagrant Box?

$ tar -tf ~/libvirt.box box.img metadata.json

How to connect to a Vagrant box out-of-the-box?

At �rst it was a good idea to set up some common SSH keys...

One year later…

And three years later, some progress has been made!

Best practice from mitchellh:( )https://github.com/mitchellh/vagrant/tree/master/keys

“If you're working with a team orcompany or with a custom box and you

want more secure SSH, you should createyour own keypair and con�gure theprivate key in the Vagrant�le with

'con�g.ssh.private_key_path'.”

Home-made boxes

I'll use Packer, and even more, boxcutter because they're sofamous!

But I shouldn't have... because of that: $ cd boxcutter/debian/script && grep http: *

cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSIONcmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}

Boxes in the rightful cloud

Atlas Cloud

$ vagrant box add ubuntu/trusty64 ==> box: Loading metadata for box 'ubuntu/trusty64' box: URL: https://atlas.hashicorp.com/ubuntu/trusty64 ==> box: Adding box 'ubuntu/trusty64' (v20170208.0.0) for provider: virtualbox box: Downloading: https://atlas.hashicorp.com/ubuntu/boxes /trusty64/versions/20170208.0.0/providers/virtualbox.box ==> box: Successfully added box 'ubuntu/trusty64' (v20170208.0.0) for 'virtualbox'!

From https://www.vagrantup.com/docs/cli/box.html

“For boxes from HashiCorp's Atlas, thechecksums are embedded in the

metadata of the box. The metadata itselfis served over TLS and its format is

validated.”

But wait... Let's look at this checksum story...

Fromhttps://www.vagrantup.com/docs/boxes/format.html

“You do not need to manually make themetadata. If you have an account with

HashiCorp's Atlas, you can create boxesthere, and HashiCorp's Atlas

automatically creates the metadata foryou.”

Fromhttps://www.vagrantup.com/docs/boxes/format.html

It is a JSON document, structured in thefollowing way:”

{"name": "hashicorp/precise64", "description": "This box contains Ubuntu 12.04 LTS 64-bit.", "versions": [{ "version": "0.1.0", "providers": [{ "name": "virtualbox", "url": "http://somewhere.com/precise64_010_virtualbox.box" "checksum_type": "sha1", "checksum": "foo" }]}]}

Great, I like that, so I should �nd it here for example on:

Nope...

https://atlas.hashicorp.com/ubuntu/boxes/trusty64.json

Erf, let's look into some Hashicorp box instead on

Still nope...

https://atlas.hashicorp.com/hashicorp/boxes/precise64.json

Let's try one last thing...$ cat imdesperate.json {"name": "hashicorp/precise64", "versions": [{ "version": "1.1.0", "providers": [{ "name": "virtualbox", "url": "https://atlas.hashicorp.com/hashicorp/boxes/pre\ cise64/versions/1.1.0/providers/virtualbox.box", "checksum_type": "sha1", "checksum": "imdesperate"}]}]}

$ vagrant box add imdesperate.json ==> box: Loading metadata for box 'imdesperate.json' box: URL: file:///home/user/imdesperate.json ==> box: Adding box 'hashicorp/precise64' (v1.1.0) for provider:\ virtualbox box: Downloading: https://atlas.hashicorp.com/hashicorp/box\ es/precise64/versions/1.1.0/providers/virtualbox.box ...

... box: Calculating and comparing box checksum... The checksum of the downloaded box did not match the expected value. Please verify that you have the proper URL setup and that you're downloading the proper file.

Expected: imdesperate Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40

We did it better

GPG signed checksums dataMetadata �les served over TLS with checksuminformation

https://github.com/quarkslab/packer-ubuntu#security

3. From 6 hours to fewminutes

DevOps: when the Internet is on

DevOps: when the Internet is broken

You can save a bunch of minutes with o�ine mode!No more latencyNo more bandwidth bottleneckNo more side-effect

Worst error of the dev people?

Pip dependenciesFreeze speci�c versions and do not upgrade unlessyou check the new versionsDo not download exotic packages even from PyPiDo not rely on Github repos or things like thatUse of�ine package

$ mkdir toto $ pip install -d ./toto mypackage #move the folder on the offline node $ pip install --no-index --find-links ./toto mypackage

Apt dependenciesJust use

It will be:

QuickierMore secureMore stable

https://packages.debian.org/jessie/apt-of�ine

The result$ git clone https://github.com/quarkslab/irma.git $ cd ansible && vagrant up