Public | Automated Build

Last pushed: 2 years ago
Short Description
Short description is empty for this repo.
Full Description

docker_irma

WARNING: just POC for bootstrap to make dev/test and as alternative to
the VDI/VMDK provide by quarkslab

http://irma.quarkslab.com/download/1.0.4/irma.vdi

Instead here is build from the current git version and only the frontend
and brain and an another dockerfile for the probe clamav

Before ppl cry, IS NOT SECURE setup, never put that online (credz
hardcoded everywhere!)

Note: I'm note a docker expert at all, I accept any recommendation.

It does not follow the real docker philosophy, normally we've to dockerize
all the things, but here is more just a start to dev/testing.

References:

Quick & Dirty

If you like danger, and have docker already installed and running

# start it
wget -O - https://gist.githubusercontent.com/y0ug/8547dce315e5649b641c/raw | bash
# stop it
wget -O - https://gist.githubusercontent.com/y0ug/9e73ce0afa10f3b1e6d4/raw | bash

Start script https://gist.github.com/y0ug/8547dce315e5649b641c

Stop script https://gist.github.com/y0ug/9e73ce0afa10f3b1e6d4

running with hub.docker.com

Is just example docker allow lot of fancy stuff

Starting up

# in foreground with no data persistence
docker run --rm -it  \
        -p 172.17.42.1:20:20 -p 172.17.42.1:21:21 \
        -p 172.17.42.1:80:80 -p 172.17.42.1:5672:5672 -p 172.17.42.1:6379:6379 \
        -h brain.irma --name irma y0ug/irma

# in background that leave you the choice to recover some files or commit change
# but you should used volumes take a looks to the Makefile
docker run -d  \
        -p 172.17.42.1:20:20 -p 172.17.42.1:21:21 \
        -p 172.17.42.1:80:80 -p 172.17.42.1:5672:5672 -p 172.17.42.1:6379:6379 \
        -h brain.irma --name irma y0ug/irma

# to destroy it (all not in mounted volume will by destroy)
docker rm irma

Go to http://172.17.42.1/ and you should get a nice IRMA web interface
you can get some delay like 30s due to racecondition fixed by sleep (so l33t).
Big other issue is mongodb take so long to init the db files.

For clamav probe take a looks to http://github.com/y0ug/docker_irma_probe_clamav

Shortcut

# in foreground standalone (not recommended), have database from last
# build and start update a boottime
docker run --rm -it  \
        -h clamav.probe.irma --name irma-probe-clamav \
        y0ug/irma-probe-clamav

# in foreground with clamav db persistence it will download the all
# db if the directory is empty so please by patient
docker run --rm -it  \
        -v /var/volumes/irma_probe_clamav_clamav:/var/lib/clamav \
        -h clamav.probe.irma --name irma-probe-clamav \
        y0ug/irma-probe-clamav

# in background with clamav db persistence (best way)
docker run -d  \
        -v /var/volumes/irma_probe_clamav_clamav:/var/lib/clamav \
        -h clamav.probe.irma --name irma-probe-clamav \
        y0ug/irma-probe-clamav

more dev env

git clone http://github.com/y0ug/docker_irma
git clone http://github.com/y0ug/docker_irma_probe_clamav

Check the Makefile inside the directory and fix VOL_DIR is my directory where all docker volume
come.

To get ssh access, you should used

% make sshsetup 
sudo mkdir -p /var/volumes/ssh_root/
sudo chmod 700 /var/volumes/ssh_root/
sudo touch /var/volumes/ssh_root/authorized_keys
sudo chmod 600 /var/volumes/ssh_root/authorized_keys
sudo mkdir -p /var/volumes/irma_db

and just add you pub key into /var/volumes/ssh_root/authorized_keys

note: all my Makefile used the same volume for the authorized_keys (volume are not RO so if one instance is compromised,
attacker can hijack all other instance by injecting key, just fun fact)

You don't need to build, you can start it with

% make run
docker run -d  \
        -v /var/volumes/ssh_root:/root/.ssh \
        -v /var/volumes/irma_db:/var/lib/mongodb \
        -p 172.17.42.1:20:20 -p 172.17.42.1:21:21 -p 172.17.42.1:80:80 -p 172.17.42.1:5672:5672 -p 172.17.42.1:6379:6379 \
        -h brain.irma --name irma y0ug/irma
fd6cbe92e1783b284ff9bba3c47b8dec918b8f11be10c922d88a2c1710d05e82
echo ip: `docker inspect --format '{{ .NetworkSettings.IPAddress }}' irma`
ip: 172.17.0.138

You can ssh into the ip as root with the right key.
Most of the log are into /var/log/supervisor/

To destroy the instance

% make destroy
docker rm -f irma
irma

If you've update the Dockerfile

make build

And run the new version

make destroy run

TODO for real docker world

@find some docker/devops ninja?

Manage credential setup.

For IRMA switch to volume to pass the config.

Find how secure all the things

Remove mongodb, and redis. Rabbitmq is more tricky, due to hostname etc.. but toldy possible

Replace by that

# get/run a redis docker
docker run -d --name redis -p 172.17.42.1:6379:6379 dockerfile/redis

# get/run mongo docker (data are saved into /root/db)
docker run -d -p 172.17.42.1:27017:27017 -v /root/db:/data/db --name mongodb dockerfile/mongodb

# get/run a redis docker
docker run -d --name redis -p 172.17.42.1:6379:6379 dockerfile/redis

# to connect to redis cli
docker run -it --rm --link redis:redis dockerfile/redis bash -c 'redis-cli -h $REDIS_PORT_6379_TCP_ADDR'

# to connect to the mongo db
docker run -it --rm --link mongodb:mongodb dockerfile/mongodb bash -c 'mongo --host $MONGODB_PORT_27017_TCP_ADDR'

Dreaming (the final goal)

Using an docker with vagrant and vbox for example to build profile for windows agent with automatic setup/install/update of AV
and irma-probe git.

Something with WinRM (powershell), Chocolatey and maybe some script for gui process due to lame AV.

That will allow ability to build the all AV probe in one place and put in
prod directly with last update etc...

So many possibility...

Hardening

Nothing to see here...

Tips

If you need dns into docker easly without heavy setup

https://github.com/tonistiigi/dnsdock

Docker Pull Command
Owner
y0ug
Source Repository