From e1afc7f7208a30780fca74004a6e24cb3ef01b1c Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Sun, 28 Jan 2024 23:40:21 -0800 Subject: [PATCH] Add spellchecking to this repository (#60) * Add spellchecking to this repository Signed-off-by: Tim Smith * Spelling fixes Signed-off-by: Tim Smith --------- Signed-off-by: Tim Smith --- .github/actions/spelling/README.md | 15 + .github/actions/spelling/advice.md | 23 + .github/actions/spelling/allow.txt | 0 .github/actions/spelling/excludes.txt | 50 ++ .github/actions/spelling/expect.txt | 60 ++ .../actions/spelling/line_forbidden.patterns | 532 ++++++++++++++++++ .github/actions/spelling/only.txt | 1 + .github/actions/spelling/patterns.txt | 97 ++++ .github/actions/spelling/reject.txt | 12 + .github/workflows/spell-check.yaml | 53 ++ README.md | 14 +- aws/cis-benchmark/README.md | 2 +- aws/ec2-instance-connect/README.md | 2 +- aws/ec2-instances/README.md | 4 +- aws/iam-mfa/README.md | 2 +- aws/public-s3/README.md | 4 +- azure/README.md | 2 +- gcp/cis-benchmark/README.md | 4 +- github/cis-supply-chain/README.md | 6 +- hack-lab/container-escape/aws/README.md | 38 +- hack-lab/container-escape/azure/README.md | 34 +- hack-lab/container-escape/gcp/README.md | 47 +- hack-lab/container-escape/minikube/README.md | 4 +- hack-lab/container-escape/minikube/output.tf | 10 +- hack-lab/windows-hack-environment/README.md | 16 +- okta/okta-terraform-provisioning/README.md | 24 +- 26 files changed, 955 insertions(+), 101 deletions(-) create mode 100644 .github/actions/spelling/README.md create mode 100644 .github/actions/spelling/advice.md create mode 100644 .github/actions/spelling/allow.txt create mode 100644 .github/actions/spelling/excludes.txt create mode 100644 .github/actions/spelling/expect.txt create mode 100644 .github/actions/spelling/line_forbidden.patterns create mode 100644 .github/actions/spelling/only.txt create mode 100644 .github/actions/spelling/patterns.txt create mode 100644 .github/actions/spelling/reject.txt create mode 100644 .github/workflows/spell-check.yaml diff --git a/.github/actions/spelling/README.md b/.github/actions/spelling/README.md new file mode 100644 index 0000000..562091e --- /dev/null +++ b/.github/actions/spelling/README.md @@ -0,0 +1,15 @@ +# check-spelling/check-spelling configuration + +| File | Purpose | Format | Info | +| -------------------------------------------------- | --------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | +| [allow.txt](allow.txt) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow) | +| [reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject) | +| [excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes) | +| [only.txt](only.txt) | Only check matching files (applied after excludes) | perl regular expression | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only) | +| [patterns.txt](patterns.txt) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) | +| [line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) | +| [expect.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect) | +| [advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice) | + +Note: you can replace any of these files with a directory by the same name (minus the suffix) +and then include multiple files inside that directory (with that suffix) to merge multiple files together. diff --git a/.github/actions/spelling/advice.md b/.github/actions/spelling/advice.md new file mode 100644 index 0000000..cea808b --- /dev/null +++ b/.github/actions/spelling/advice.md @@ -0,0 +1,23 @@ + +
If the flagged items are false positives + +If items relate to a ... + +- binary file (or some other file you wouldn't want to check at all). + + Please add a file path to the `excludes.txt` file matching the containing file. + + File paths are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files. + + `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude README.md (on whichever branch you're using). + +- well-formed pattern. + + If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it, + try adding it to the `patterns.txt` file. + + Patterns are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines. + + Note that patterns can't match multiline strings. + +
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt new file mode 100644 index 0000000..e69de29 diff --git a/.github/actions/spelling/excludes.txt b/.github/actions/spelling/excludes.txt new file mode 100644 index 0000000..c013ab5 --- /dev/null +++ b/.github/actions/spelling/excludes.txt @@ -0,0 +1,50 @@ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes +(?:^|/)(?i)COPYRIGHT +(?:^|/)(?i)LICEN[CS]E +(?:^|/)go\.sum$ +(?:^|/)package(?:-lock|)\.json$ +(?:^|/)vendor/ +ignore$ +\.a$ +\.ai$ +\.avi$ +\.bmp$ +\.bz2$ +\.crt$ +\.dll$ +\.DS_Store$ +\.eot$ +\.exe$ +\.gif$ +\.gitattributes$ +\.graffle$ +\.gz$ +\.icns$ +\.ico$ +\.jar$ +\.jpe?g$ +\.key$ +\.lib$ +\.lock$ +\.map$ +\.min\.. +\.mod$ +\.mp[34]$ +\.o$ +\.ocf$ +\.otf$ +\.pdf$ +\.pem$ +\.png$ +\.psd$ +\.s$ +\.svg$ +\.tiff?$ +\.ttf$ +\.wav$ +\.webm$ +\.webp$ +\.woff2?$ +\.zip$ +^\.github/actions/spelling/ +^\Q.github/workflows/spelling.yml\E$ diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt new file mode 100644 index 0000000..7cb50e5 --- /dev/null +++ b/.github/actions/spelling/expect.txt @@ -0,0 +1,60 @@ +akic +baf +cgrp +chronos +Ckxomxaar +cpe +cqc +dfdaf +Dvf +dvwa +eecdfd +FFn +fjw +fzvkw +Gci +hacklab +hnlj +hostpid +hushlogin +IBAA +icanhazip +Ikp +JFUz +Jhb +kalilinux +kbcxs +kvct +Kyybse +lhost +linux +lport +messagebus +meterpreter +MIIJKg +msfconsole +nch +NCIs +ndots +nginx +noproxy +OPENSSH +Perfetto +pfuj +pmuench +procs +randomart +rdm +rhel +rkd +secops +Thu +timesync +umxf +unminimize +unnyfkbt +upperdir +vmss +webserver +xdsp +XVCJ diff --git a/.github/actions/spelling/line_forbidden.patterns b/.github/actions/spelling/line_forbidden.patterns new file mode 100644 index 0000000..804a38f --- /dev/null +++ b/.github/actions/spelling/line_forbidden.patterns @@ -0,0 +1,532 @@ +# Detect common combinations of valid words that are in fact invalid. +# Useful for brand capitalizations + +# +# Our Terms +# + +# s.b. Mondoo Platform +\sthe Mondoo Platform\b +\sMondoo platform\b + +# s.b. Compliance Hub +\scompliance hub\b +\sCompliance hubplatform\b + +# +# Industry Terms +# + +# s.b. Side scanning +\bSidescanning\b +\bsidescanning\b + +# s.b. DevOps +\bDev Ops\b +\bDevops\b + +# s.b. SaaS +\bSaas\b +\bsaas\b + +# s.b. Docker Hub +\bDockerHub\b +\bDockerhub\b + +# s.b. REST API +\bRest API\b +\brest API\b +\brest api\b + +# s.b. DevSecOps +\bDevsecops\b + +# s.b. on-premises +\bon-premise\b + +# s.b. email +\be-mail\b + +# +# Product Names +# + +# s.b. Jira +\bJIRA\b + +# s.b. MariaDB +\bMaria DB\b +\bmariaDB\b +# \bmariaDb\b causes failures in MQL queries + +# s.b. PostgreSQL +\bPostgreSql\b + +# s.b. Firefox +\bFireFox\b + +# s.b. CentOS +\bCentos\b +\bCent OS\b +\bcentOS\b + +# s.b. macOS +\bOS X\b +\bMacOS\b +\bMac OS\b + +# s.b. Okta +\bOcta\b + +# s.b. Elasticsearch +\bElasticSearch\b + +# s.b. DocuSign +\bDocu Sign\b + +# s.b. DocuSign +\bDocu Sign\b + +# s.b. DocuSign +\bDocu Sign\b +\bDocusign\b + +# s.b. MongoDB +\bMongo DB\b +\bMongoDb\b + +# s.b. MySQL +\bMysql\b +\bMySql\b + +# s.b. OpenStack +\bOpen Stack\b +\bOpenstack\b + +# s.b. Red Hat +\bRedHat\b +\bRedhat\b + +# s.b. AlmaLinux +\bAlma Linux\b + +# s.b. openSUSE +\bOpenSUSE\b + +# s.b. openSUSE +\bopenSuse\b + +# s.b. CircleCI +\bCircleCi\b +\bCircle CI\b + +# s.b. AppArmor +\bApparmor\b +\bApp Armor\b + +# s.b. SELinux +\bSeLinux\b +\bSelinux\b + +# s.b. InSpec +\b[Ii]nspec\b + +# s.b. GitHub +\bGithub\b + +# s.b. GitLab +\bGitlab\b + +# s.b. JavaScript +\bJavascript\b + +# s.b. OpenSSL +\bOpenssl\b +\bopenSSL\b + +# +# Microsoft Products +# + +# s.b. Microsoft +\bMicroSoft\b + +# s.b. Windows Server +\bWindows server\b + +# s.b. Team Foundation Server +\bTeam foundation server\b +\bteam foundation server\b + +# s.b. Active Directory +\bActive directory\b +\bactive directory\b + +# s.b. Group Policy Object +\bGroup policy object\b +\bgroup policy object\b +\bGroup Policy object\b + +# +# VMware Products +# + +# s.b. VMware +\bVmware\b +\bVMWare\b + +# s.b. vCenter +\bVcenter\b +\bVCenter\b + +# s.b. vSphere +\bVsphere\b +\bVSphere\b + +# s.b. ESXi +\bEsxi\b + +# +# AWS Products +# + +# s.b. App2Container +\bApp2container\b + +# s.b. AppFlow +\bAppflow\b + +# s.b. AppSync +\bAppsync\b + +# s.b. CloudEnsure +\bCloudensure\b + +# s.b. CloudFormation +\bCloudformation\b + +# s.b. CloudFront +\bCloudfront\b + +# s.b. CloudHSM +\bCloudHsm\b +\bCloudhsm\b + +# s.b. CloudSearch +\bCloudsearch\b + +# s.b. CloudShell +# we can't check for Cloud Shell since that's what Azure calls it +\bCloudshell\b +\bcloudshell\b + +# s.b. CloudTrail +\bCloudtrail\b + +# s.b. CloudWatch +\bCloudwatch\b + +# s.b. CodeArtifact +\bCodeartifact\b + +# s.b. CodeBuild +\bCodebuild\b + +# s.b. CodeCommit +\bCodecommit\b + +# s.b. CodeDeploy +\bCodedeploy\b + +# s.b. CodeGuru +\bCodeguru\b + +# s.b. CodePipeline +\bCodepipeline\b + +# s.b. CodeStar +\bCodestar\b + +# s.b. Copilot +\bCoPilot\b + +# s.b. DeepRacer +\bDeepracer\b + +# s.b. DocumentDB +\bDocument DB\b +\bDocumentDb\b + +# s.b. DynamoDB +\bDynamo DB\b +\bDynamoDb\b + +# s.b. ElastiCache +\bElasticache\b + +# s.b. EventBridge +\bEventbridge\b + +# s.b. Fargate +\bFarGate\b + +# s.b. FinSpace +\bFinSpace\b + +# s.b. FSx +\bFSX\b + +# s.b. GameLift +\bGamelift\b + +# s.b. GuardDuty +\bGuardduty\b + +# s.b. Honeycode +\bHoneyCode\b + +# s.b. Lightsail +\bLightSail\b + +# s.b. MXNet +\bMxnet\b +\bMXnet\b + +# s.b. OpenSearch +\bOpensearch\b + +# s.b. OpenShift +\bOpenshift\b + +# s.b. PrivateLink +\bPrivatelink\b + +# s.b. QuickSight +\bQuicksight\b + +# s.b. Redshift +\bRedShift\b + +# s.b. RoboMaker +\bRobomaker\b + +# s.b. Route 53 +\bRoute53\b + +# s.b. SageMaker +\bSagemaker\b + +# s.b. SiteWise +\bSitewise\b + +# s.b. WorkDocs +\bWorkdocs\b + +# s.b. WorkMail +\bWorkmail\b + +# +# GCP Products +# + +# s.b. Pub/Sub +\bPubSub\b + +# s.b. Cloud SQL +\bCloudSQL\b + +# s.b. Cloud CDN +\bCloudCDN\b + +# s.b. Cloud Functions +\bCloud functions\b + +# s.b. Vertex AI +\bVertexAI\b + +# s.b. Dialogflow +\bDialogFlow\b + +# s.b. Dataplex +\bDataPlex\b + +# s.b. BigLake +\bBig Lake\b + +# s.b. AlloyDB +\bAlloy DB\b + +# s.b. Firestore +\bFireStore\b + +# s.b. Datastream +\bDataStream\b +\bData Stream\b + +# s.b. Memorystore +\bMemoryStore\b +\bMemory Store\b + +# s.b. TensorFlow +\bTensor Flow\b + +# s.b. AppEngine +\bApp Engine\b + +# s.b. AppEngine +\bApp Engine\b + +# s.b. Compute Engine +\bComputeEngine\b +\bCompute engine\b + +# s.b. VMware Engine +\bVMware engine\b +\bVMWare Engine\b + +# s.b. Knative +\bKNative\b + +# s.b. BigQuery +\bBig Query\b + +# s.b. Cloud Build +\bCloudBuild\b +\bCloud build\b + +# s.b. Cloud Run +\bCloudRun\b +\bCloud run\b + +# +# Azure Products +# + +# s.b. Azure Pipelines +\bAzure DevOps Pipelines\b + +# s.b. Key Vault +\bKey vault\b +\bKeyVault\b + +# s.b. Ampere +\bampere\b + +# s.b. Azure DevOps Server +\bAzure DevOps server\b + +# s.b. Synapse Analytics +\bSynapse analytics\b +\bsynapse analytics\b + +# s.b. Cognitive Services +\bCognitive services\b +\bcognitive services\b + +# s.b. Event Hubs +\bEvent hubs\b +\bevent hubs\b + +# s.b. CloudOps +\bCloud Ops\b +\bCloud ops\b +\bcloud ops\b + +# s.b. Batch Service +\bBatch service\b +\bbatch service\b + +# s.b. Service Fabric Cluster +\bservice fabric cluster\b + +# s.b. Azure Kubernetes Service +\bAzure Kubernetes service\b + +# s.b. Cosmos DB +\bCosmosDB\b +\bCosmoDB\b +\bCosmo DB\b + +# s.b. SignalR Service +\bSignalR service\b +\bSignal R Service\b + +# s.b. App Service Certificate +\bapp service certificate\b + +# s.b. Privileged Identity Management +\bprivileged identity management\b + +# s.b. BizTalk Service +\bBizTalk service\b +\bBiztalk service\b +\bBiz Talk service\b +\bBiz Talk Service\b + +# s.b. Data Box +\bdata box\b + +# s.b. Database Migration Service +\bdatabase migration service\b + +# s.b. Internet Analyzer +\bInternet analyzer\b +\binternet analyzer\b + +# s.b. Web Application Firewall +\bWeb application firewall\b +\bweb Application Firewall\b + +# s.b. SQL Vulnerability Assessment +\bSQL vulnerability assessment\b + +# s.b. StorSimple +\bStor Simple\b + +# +# Common Typos +# + +# s.b. another +\ban[- ]other\b + +# s.b. greater than +\bgreater then\b + +# s.b. less than +\bless then\b + +# s.b. otherwise +\bother[- ]wise\b + +# s.b. nonexistent +\bnon existing\b +\b[Nn]o[nt][- ]existent\b + +# s.b. preexisting +[Pp]re-existing + +# s.b. preempt +[Pp]re-empt\b + +# s.b. preemptively +[Pp]re-emptively + +# s.b. reentrancy +[Rr]e-entrancy + +# s.b. reentrant +[Rr]e-entrant + +# s.b. policies +[Pp]olices + +# s.b. ID +# \bId\b # disabled in this repo due to false positives + +# s.b. CSV +\bCVS\b + +# Reject duplicate words +\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s + diff --git a/.github/actions/spelling/only.txt b/.github/actions/spelling/only.txt new file mode 100644 index 0000000..cfa27f7 --- /dev/null +++ b/.github/actions/spelling/only.txt @@ -0,0 +1 @@ +\.md$ diff --git a/.github/actions/spelling/patterns.txt b/.github/actions/spelling/patterns.txt new file mode 100644 index 0000000..61cbc42 --- /dev/null +++ b/.github/actions/spelling/patterns.txt @@ -0,0 +1,97 @@ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns + +# acceptable duplicates +# ls directory listings +[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+ + +# Commit message -- Signed-off-by and friends +^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$ + +# Autogenerated revert commit message +^This reverts commit [0-9a-f]{40}\.$ + +# ignore long runs of a single character: +\b([A-Za-z])\g{-1}{3,}\b + +# ignore funky space IDs that blow up spell checking +api\.mondoo\.app\/space.*\b +console\.mondoo\.com\/space.*\b + +# azure subscription ID +[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12} + +# azure subscriptions URL +\/subscriptions\/\S* + +# docker container +\b[a-z,0-9]{12}\b + +# URLs in markdown links / images +]\(.*\) + +# Azure Key Vault Vault. It feels wrong, but it's technically right +Key Vault Vault + +# luna containers in scan output +\bluna/.*\b + +# this comes up in permissions and is valid +\broot root\b + +# AWS resources +(ami|subnet|vpc|sg)-[0-9a-fA-F]{17} + +# http and https URLs +https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*) + +# registry key paths +HKEY_[\w\\]* + +# Container digests +\bsha256:\w* + +# mime types +\bapplication\/\S* + +# skip mql uids +uid:\s.*$ + +# ARN values +\barn:\S* + +# mac user dir path +\/Users\/\S* + +# AWS Token, ID access key, etc +aws_session_token\s+\=(\s+)?.+ +aws_access_key_id\s+\=(\s+)?.+ +aws_secret_access_key\s+\=(\s+)?.+ + +# PGP +\b(?:[0-9A-F]{4} ){9}[0-9A-F]{4}\b +# GPG keys +\b(?:[0-9A-F]{4} ){5}(?: [0-9A-F]{4}){5}\b + +# uuid +\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b + +# curl arguments +\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)* + +# set arguments +\bset(?:\s+-[abefimouxE]{1,2})*\s+-[abefimouxE]{3,}(?:\s+-[abefimouxE]+)* + +# tar arguments +\b(?:\\n|)g?tar(?:\.exe|)(?:(?:\s+--[-a-zA-Z]+|\s+-[a-zA-Z]+|\s[ABGJMOPRSUWZacdfh-pr-xz]+\b)(?:=[^ ]*|))+ + +# file permissions +['"`\s][-bcdLlpsw](?:[-r][-w][-Ssx]){2}[-r][-w][-SsTtx]\+?['"`\s] + +# score score is valid in MQL docs +score score + +# SHA256 values +\nSHA256:\S* + +# long cert lines in config +\bcluster_certificate_authority_data = .* diff --git a/.github/actions/spelling/reject.txt b/.github/actions/spelling/reject.txt new file mode 100644 index 0000000..122f5ad --- /dev/null +++ b/.github/actions/spelling/reject.txt @@ -0,0 +1,12 @@ +ad-hoc +^attache$ +benefitting +occurences? +^dependan.* +^oer$ +Sorce +^[Ss]pae.* +^untill$ +^untilling$ +^wether.* +\w*(?` . - Organization Access: Ensure you have access to the target GitHub organization, for example https://github.com/lunalectric. - GitHub Token: Generate a GitHub token with Resource owner set to lunalectric and all permissions set to read. @@ -57,4 +57,4 @@ If you encounter any issues while performing these steps: - Permission Issues: Verify that you have the necessary permissions to access and scan the GitHub organization or repositories. This may involve checking the settings of your GitHub token and your role within the organization. - Command Execution Issues: If the `cnspec`` commands are not executing as expected, ensure that cnspec is installed and updated to the latest version. -Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this Github repository. For ongoing issues or broader discussions, we invite you to join us over at our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this GitHub repository. For ongoing issues or broader discussions, we invite you to join us over at our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/hack-lab/container-escape/aws/README.md b/hack-lab/container-escape/aws/README.md index c704d3b..e90b06c 100644 --- a/hack-lab/container-escape/aws/README.md +++ b/hack-lab/container-escape/aws/README.md @@ -13,12 +13,14 @@ This folder contains Terraform automation code to provision the following: - [EKS container escape demo](#eks-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Configuration](#configuration) - [Example configuration](#example-configuration) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - - [Deploy Mondoo Operator to AKS](#deploy-mondoo-operator-to-aks) + - [Deploy Mondoo Operator to EKS](#deploy-mondoo-operator-to-eks) + - [Deploy cert-manager](#deploy-cert-manager) + - [Deploy Mondoo Operator](#deploy-mondoo-operator) - [Deploy and configure DVWA](#deploy-and-configure-dvwa) - [Configure Port Forwarding](#configure-port-forwarding) - [Login to DVWA](#login-to-dvwa) @@ -26,15 +28,29 @@ This folder contains Terraform automation code to provision the following: - [Start the container listener](#start-the-container-listener) - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) - - [Escape time](#escape-time) - - [Escalate Privileges on the container](#escalate-privileges-on-the-container) + - [Escape time via privileged container](#escape-time-via-privileged-container) + - [Escalate privileges on the container](#escalate-privileges-on-the-container) - [Gain access to worker nodes](#gain-access-to-worker-nodes) + - [Escape time via service account token](#escape-time-via-service-account-token) + - [Start the container listener](#start-the-container-listener-1) + - [Start the host listener](#start-the-host-listener-1) + - [Start the host listener](#start-the-host-listener-2) + - [Start Ruby webserver](#start-ruby-webserver-1) + - [Gain access to worker nodes through default service account token](#gain-access-to-worker-nodes-through-default-service-account-token) - [Mondoo scan commands](#mondoo-scan-commands) + - [Scan kubernetes manifest](#scan-kubernetes-manifest) + - [Scan container image from registry](#scan-container-image-from-registry) + - [Scan Kubernetes EKS cluster](#scan-kubernetes-eks-cluster) + - [Shell to Kubernetes EKS cluster](#shell-to-kubernetes-eks-cluster) +- [scan/shell kubernetes node via SSM](#scanshell-kubernetes-node-via-ssm) +- [scan/shell Kubernetes via AWS API](#scanshell-kubernetes-via-aws-api) - [Destroy the cluster](#destroy-the-cluster) + - [License and Author](#license-and-author) + - [Disclaimer](#disclaimer) -## Prerequsites +## Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` @@ -269,7 +285,7 @@ Events: Normal Started 23s kubelet Started container dvwa ``` -Deploy also the DVWA WebApp as a none privileged container and the the malicous role binding +Deploy also the DVWA WebApp as a none privileged container and the malicious role binding ```bash kubectl apply -f ../assets/dvwa-deployment-no-privileged.yml @@ -310,7 +326,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -444,7 +460,7 @@ uid=33(www-data) gid=33(www-data) groups=33(www-data) You have a shell and are the `www-data` user. -### Escalate Privileges on the container +### Escalate privileges on the container Now you need do the privilege escalation within the container to gain root. In the terminal where the container listener and run the following commands: @@ -721,13 +737,13 @@ cnspec scan k8s --path ../assets/dvwa-deployment.yml cnspec scan container docker.io/pmuench/dvwa-container-escape:latest ``` -### Scan kubernetes eks cluster +### Scan Kubernetes EKS cluster ```bash cnspec scan k8s ``` -### Shell to kubernetes eks cluster +### Shell to Kubernetes EKS cluster ```bash cnspec shell k8s @@ -793,7 +809,7 @@ cnspec scan aws ec2 ssm ssm-user@ cnspec shell aws ec2 ssm ssm-user@ ``` -# scan/shell kubernetes via aws api +# scan/shell Kubernetes via AWS API ```bash export AWS_REGION=us-east-2 diff --git a/hack-lab/container-escape/azure/README.md b/hack-lab/container-escape/azure/README.md index cc2be79..592414d 100644 --- a/hack-lab/container-escape/azure/README.md +++ b/hack-lab/container-escape/azure/README.md @@ -12,7 +12,7 @@ This folder contains Terraform automation code to provision the following: - [AKS container escape demo](#aks-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - [Deploy Mondoo Operator to AKS](#deploy-mondoo-operator-to-aks) @@ -26,8 +26,12 @@ This folder contains Terraform automation code to provision the following: - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) - [Escape time](#escape-time) - - [Escalate Privileges on the container](#escalate-privileges-on-the-container) - - [Gain access to worker nodes (Escaping the pod and getting a shell on the worker node)](#gain-access-to-worker-nodes) + - [Escalate privileges on the container](#escalate-privileges-on-the-container) + - [Gain access to worker nodes (Escaping the pod and getting a shell on the worker node)](#gain-access-to-worker-nodes-escaping-the-pod-and-getting-a-shell-on-the-worker-node) + - [1. Using ServiceAccount](#1-using-serviceaccount) + - [2. Release\_agent cgroups escape](#2-release_agent-cgroups-escape) + - [3. Cronjob](#3-cronjob) + - [Get keys from keyvault](#get-keys-from-keyvault) - [Mondoo scan commands](#mondoo-scan-commands) - [Scan kubernetes manifest](#scan-kubernetes-manifest) - [Scan container image from registry](#scan-container-image-from-registry) @@ -41,7 +45,7 @@ This folder contains Terraform automation code to provision the following: -## Prerequsites +## Prerequisites - [Azure Account](https://azure.microsoft.com/en-us/free/) - [AZ CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) @@ -58,25 +62,25 @@ git clone git@github.com:Lunalectric/container-escape.git 2. cd into the terraform folder -``` +```bash cd container-escape/azure ``` 3. Initialize the project (download modules) -``` +```bash terraform init ``` 4. Check that everything is ready -``` +```bash terraform plan ``` 5. Apply the configuration -``` +```bash terraform apply -auto-approve ``` @@ -262,7 +266,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -401,7 +405,7 @@ uid=33(www-data) gid=33(www-data) groups=33(www-data) You have a shell and are the `www-data` user. -### Escalate Privileges on the container +### Escalate privileges on the container Now you need do the privilege escalation within the container to gain root. In the terminal where the container listener and run the following commands: @@ -462,17 +466,15 @@ In the outcome we can see the containerd which shows we are in a container (cont b. To check is if we are in a privileged container, we can check if we have access to a lot of devices. - ```bash - +```bash fdisk -l - ```` ```bash ls /dev/ ```` -There are several ways of escaping the container and land in the workernode which some of them might not work as kubernetes orchestration is keep updating in Azure. Here, we are trying three ways, which two of them is not working anymore in the new Kubernetes version (latest version deployed by terraform starting from May 2023): +There are several ways of escaping the container and land in the worker node which some of them might not work as kubernetes orchestration is keep updating in Azure. Here, we are trying three ways, which two of them is not working anymore in the new Kubernetes version (latest version deployed by terraform starting from May 2023): ### 1. Using ServiceAccount @@ -534,7 +536,7 @@ kubectl --token=`cat /run/secrets/kubernetes.io/serviceaccount/token` --certific no ``` -So, here wo donot have enough permissions and a result we cannot create a new pod from within this pod by calling the API. If we had enough permissions by getting simply 'yes' from above query, we could use following to create a pod and at the same listening on the port 4244 to get a reverse shell: +So, here we don't have enough permissions and a result we cannot create a new pod from within this pod by calling the API. If we had enough permissions by getting simply 'yes' from above query, we could use following to create a pod and at the same listening on the port 4244 to get a reverse shell: ```bash curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X POST ${APISERVER}/apis/apps/v1/namespaces/default/deployments -H 'Content-Type: application/yaml' -d '--- @@ -583,7 +585,7 @@ chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` -We can confirm that it did not work in the new version of the kubernets in Azure, and most probably it should be related to the fact that cgroup exploit was mainly related to the Docker and not the containerd! +We can confirm that it did not work in the new version of the Kubernetes in Azure, and most probably it should be related to the fact that cgroup exploit was mainly related to the Docker and not the containerd! ### 3. Cronjob diff --git a/hack-lab/container-escape/gcp/README.md b/hack-lab/container-escape/gcp/README.md index 457d62f..43c8856 100644 --- a/hack-lab/container-escape/gcp/README.md +++ b/hack-lab/container-escape/gcp/README.md @@ -12,7 +12,7 @@ This folder contains Terraform automation code to provision the following: - [GKE container escape demo](#gke-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - [Deploy Mondoo Operator to GKE](#deploy-mondoo-operator-to-gke) @@ -23,26 +23,27 @@ This folder contains Terraform automation code to provision the following: - [Login to DVWA](#login-to-dvwa) - [Setup Attacker Linux Instance](#setup-attacker-linux-instance) - [Start the container listener](#start-the-container-listener) - - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) + - [Determine the attacker machine's public IP](#determine-the-attacker-machines-public-ip) + - [Escape time](#escape-time) - [Escaping the pod and get a shell on the node (google compute instance)](#escaping-the-pod-and-get-a-shell-on-the-node-google-compute-instance) - [Enumerate Privileges of the service account running the container](#enumerate-privileges-of-the-service-account-running-the-container) - [Deploy a pod that will get you a `root` account on the node](#deploy-a-pod-that-will-get-you-a-root-account-on-the-node) - - [Gaining a persistant bash shell on the node](#gaining-a-persistant-bash-shell-on-the-node) + - [Gaining a persistent bash shell on the node](#gaining-a-persistent-bash-shell-on-the-node) - [Mondoo scan commands](#mondoo-scan-commands) - [Scan kubernetes manifest](#scan-kubernetes-manifest) - [Scan container image from registry](#scan-container-image-from-registry) - - [Scan kubernetes gke cluster](#scan-kubernetes-gke-cluster) - - [Shell to kubernetes gke cluster](#shell-to-kubernetes-gke-cluster) - - [Scan a google cloud project](#scan-a-google-cloud-project) - - [Shell to google cloud project](#shell-to-google-cloud-project) + - [Scan Kubernetes GKE cluster](#scan-kubernetes-gke-cluster) + - [Shell to Kubernetes GKE cluster](#shell-to-kubernetes-gke-cluster) + - [Scan a Google Cloud project](#scan-a-google-cloud-project) + - [Shell to a Google Cloud project](#shell-to-a-google-cloud-project) - [Destroy the cluster](#destroy-the-cluster) - [License and Author](#license-and-author) - [Disclaimer](#disclaimer) -## Prerequsites +## Prerequisites - [Google GCP Account](https://cloud.google.com/free/) - make sure you to give the account your login in with the following IAM role [here](https://console.cloud.google.com/iam-admin): @@ -68,19 +69,19 @@ This folder contains Terraform automation code to provision the following: - make sure to install the [gke-gcloud-auth-plugin](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke), usually via the command: - ``` + ```bash gcloud components install gke-gcloud-auth-plugin ``` - - make sure to login to you Google Cloud Account account via: + - make sure to login to you Google Cloud account via: - ``` + ```bash gcloud auth application-default login ``` - make sure to set gcloud CLI to the right project - ``` + ```bash gcloud config set project #e.g. my-test-project ``` @@ -97,25 +98,25 @@ git clone git@github.com:Lunalectric/container-escape.git 2. cd into the terraform folder -``` +```bash cd container-escape/gke ``` 3. Initialize the project (download modules) -``` +```bash terraform init ``` 4. Check that everything is ready (and safe plan to a local file) -``` +```bash terraform plan -out plan.out ``` 5. Apply the configuration -``` +```bash terraform apply plan.out -auto-approve ``` @@ -269,7 +270,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -346,7 +347,7 @@ root@attacker:~/container-escape# ./start_ruby_webserver [2022-08-15 18:28:35] INFO WEBrick::HTTPServer#start: pid=3850 port=8001 ``` -### Find out the attacker machines public IP: +### Determine the attacker machine's public IP ```bash root@lunalectric-attacker-vm-3v0c:~# cat container-escape/pub-ip @@ -472,7 +473,7 @@ curl -H 'Metadata-Flavor:Google' http://metadata.google.internal/computeMetadata gke-lunalectric-gke--lunalectric-pool-0e144d64-33rz.us-central1-f.c.-development-3.internal ``` -## Gaining a persistant bash shell on the node +## Gaining a persistent bash shell on the node **Confirming the hostname and IP address of the node** First we need to find out on which node we are operating. @@ -591,7 +592,7 @@ The key's randomart image is: Now we can display the private key via `cat`: -``` +```bash cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- @@ -600,7 +601,7 @@ cat id_rsa We copy and paste this key to our local machine to the file `id_rsa` and now we can connect directly via `ssh` to the compromised node with the following command: -``` +```bash ssh -i id_rsa -o CheckHostIP=no -o StrictHostKeyChecking=no @35.226.180.169 ``` @@ -650,13 +651,13 @@ cnspec scan k8s --path ../assets/dvwa-deployment-no-privileged.yml cnspec scan container docker.io/pmuench/dvwa-container-escape:latest ``` -### Scan kubernetes gke cluster +### Scan Kubernetes GKE cluster ```bash cnspec scan k8s ``` -### Shell to kubernetes gke cluster +### Shell to Kubernetes GKE cluster ```bash cnspec shell k8s diff --git a/hack-lab/container-escape/minikube/README.md b/hack-lab/container-escape/minikube/README.md index f823ae1..5a6b765 100644 --- a/hack-lab/container-escape/minikube/README.md +++ b/hack-lab/container-escape/minikube/README.md @@ -5,9 +5,9 @@ This folder contains Terraform automation code to provision the following: - **AWS VPC** - **Kali Linux AWS EC2 Instance** - This instance is provisioned for the demonstration of the container-escape and windows hack. - **Ubuntu 20.04 AWS EC2 Instance** - This instance is provisioned for the minikube and to demonstrate the container escape -- **Windows 2016** - This instance is provisioned for the demonstration of the Windows Hack and Printnightmare vulnerability. (ami-0808d6a0d91e57fd3 in eu-central-1) +- **Windows 2016** - This instance is provisioned for the demonstration of the Windows Hack and PrintNightmare vulnerability. (ami-0808d6a0d91e57fd3 in eu-central-1) -### Prerequsites +### Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` diff --git a/hack-lab/container-escape/minikube/output.tf b/hack-lab/container-escape/minikube/output.tf index d3ba231..d5795ad 100644 --- a/hack-lab/container-escape/minikube/output.tf +++ b/hack-lab/container-escape/minikube/output.tf @@ -46,7 +46,7 @@ ubuntu@ip-10-0-4-175:~$ kubectl apply -f dvwa-deployment.yaml - check and configure the DVWA (login: admin/password) - Open a browser and navigate to http://${module.ubuntu-k8s-instance.public_ip}:8080. - Log in to DVWA using `admin` with the password `password`. -- Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +- Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." - Next, open three command line terminals and continue the setup process. - get the POD name @@ -135,7 +135,7 @@ SESSIONID=$(grep PHPSESSID dvwa.cookie | cut -d $'\t' -f7) patator http_fuzz 1=/usr/share/wordlists/metasploit/http_default_users.txt 0=/usr/share/wordlists/metasploit/http_default_pass.txt --threads=8 timeout=1 --rate-limit=1 url="http://${module.ubuntu-k8s-instance.private_ip}:8080/login.php" method=POST body="username=FILE1&password=FILE0&user_token=$\{CSRF}&Login=Login" header="Cookie: PHPSESSID=$\{SESSIONID}" -x ignore:fgrep=login.php -x quit:fgrep=index.php follow=0 accept_cookie=0 09:01:15 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.10 at 2022-06-03 09:01 UTC -09:01:15 patator INFO - +09:01:15 patator INFO - 09:01:15 patator INFO - code size:clen time | candidate | num | mesg 09:01:15 patator INFO - ----------------------------------------------------------------------------- 09:01:17 patator INFO - 302 424:0 0.012 | password:admin | 15 | HTTP/1.1 302 Found @@ -210,7 +210,7 @@ id uid=0(root) gid=0(root) groups=0(root),33(www-data) ``` -- next we compromise the the ubuntu vm +- next we compromise the ubuntu vm - login via another console to your Kali machine ```bash @@ -256,7 +256,7 @@ password: ${random_string.suffix.result} bash -c "$(curl -sSL https://install.mondoo.com/sh/cnquery)" ``` -### List all privileged Pods +### List all privileged Pods - kubectl cli @@ -554,7 +554,7 @@ spec: ' ``` -- next we compromise the the ubuntu vm +- next we compromise the ubuntu vm - login via another console to your Kali machine ```bash diff --git a/hack-lab/windows-hack-environment/README.md b/hack-lab/windows-hack-environment/README.md index 59e9481..c06f158 100644 --- a/hack-lab/windows-hack-environment/README.md +++ b/hack-lab/windows-hack-environment/README.md @@ -6,10 +6,9 @@ This folder contains Terraform automation code to provision the following: - **Kali Linux AWS EC2 Instance** - This instance is provisioned for the demonstration of the Windows hack, it is the attacker vm. - **Windows 2022 AD** - This instance is provisioned for the demonstration of Windows Active Directory hacks. - **Windows 2016 Exchange** - This instance is provisioned for the demonstration of the Windows Exchange hacks. -- **Windows 2016 DVWA** - This instance is provisioned for the demonstration of the Windows Hack and Printnightmare vulnerability/ DVWA App hack. (ami-0808d6a0d91e57fd3 in eu-central-1) +- **Windows 2016 DVWA** - This instance is provisioned for the demonstration of the Windows Hack and PrintNightmare vulnerability/ DVWA App hack. (ami-0808d6a0d91e57fd3 in eu-central-1) - -### Prerequsites +### Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` @@ -38,7 +37,7 @@ Before provisioning set the following environment variables: - `TF_VAR_ssh_key_path` - Path to to local ssh key for connecting to Kali Linux instance. - `TF_VAR_publicIP` - IP address of your home network to be applied to the security group for the Kali Linux, Ubuntu and Windows instance. example: `1.1.1.1/32` -### Example configuration +### Example configuration Open a terminal and run the following commands: @@ -71,31 +70,32 @@ export TF_VAR_publicIP="1.1.1.1/32" ## Provision a single environment 1. Clone the project + ```bash title="Clone the project" git clone git@github.com:Lunalectric/windows-hack-environment.git ``` 2. cd into the windows-hack-demo folder -``` +```bash cd windows-hack-environment ``` 3. Initialize the project (download modules) -``` +```bash terraform init ``` 4. Check that everything is ready -``` +```bash terraform plan -out plan.out ``` 5. Apply the configuration -``` +```bash terraform apply -auto-approve plan.out ``` diff --git a/okta/okta-terraform-provisioning/README.md b/okta/okta-terraform-provisioning/README.md index 3fc0035..2ad0fb2 100644 --- a/okta/okta-terraform-provisioning/README.md +++ b/okta/okta-terraform-provisioning/README.md @@ -2,7 +2,7 @@ This repository contains example HashiCorp Terraform code for provisioning an Okta organization. -### Prerequsites +### Prerequisites To use try the code in this repository, you will need the following: @@ -12,7 +12,7 @@ To use try the code in this repository, you will need the following: ## Setup Okta Dev Account -If you do not already have an Okta development environment, sign-up for a free account at [developer.okta.com](https://developer.okta.com). +If you do not already have an Okta development environment, sign-up for a free account at [developer.okta.com](https://developer.okta.com). ### Okta HealthInsights @@ -22,11 +22,11 @@ Okta HealthInsights provides recommended security tasks to improve security for ### Create an Okta API token -To manage Okta with Terraform and scan Okta with cnspec, you will need an Okta API token. Visit [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) to learn how to create an API token. +To manage Okta with Terraform and scan Okta with cnspec, you will need an Okta API token. Visit [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) to learn how to create an API token. ## Fork and clone this repository -If you want to try this code, first thing you should do is Fork it, then clone it locally. +If you want to try this code, first thing you should do is fork it, then clone it locally. ### Configure Okta Provider for Terraform @@ -47,19 +47,19 @@ This repository is configured to use my own GCP GCS bucket for the Terraform bac ### Terraform Init -Once the backend is configured, cd into the `terraform` directory in this repo and run `terraform init` to download the modules and initialize the backend. +Once the backend is configured, cd into the `terraform` directory in this repo and run `terraform init` to download the modules and initialize the backend. ### Security scan Terraform HCL with cnspec (pre-plan) Run the following command from the root directory of this repository to scan the Terraform code in this repository before you apply any changes to your Okta environment: -```typscript +```typescript cnspec scan terraform ./terraform -f policies/okta-security.mql.yaml ``` ### Security scan Terraform Plan with cnspec (post-plan) -The policy in this repository also supports scanning of Terraform plan files which provides a deeper level of understanding of the configuration changes to be applied. +The policy in this repository also supports scanning of Terraform plan files which provides a deeper level of understanding of the configuration changes to be applied. #### Generate a Terraform plan.json to scan @@ -71,14 +71,6 @@ terraform show -json tfplan > tfplan.json #### Scan the Terraform tfplan.json -```typscript +```typescript cnspec scan terraform plan tfplan.json -f policies/okta-security.mql.yaml ``` - - - - - - - -