lab updates

modules/bases/debian_stretch_desktop_kde/secgen_metadata.xml

@@ -14,7 +14,7 @@
   <platform>unix</platform>
   <distro>Debian 9.5.0 Stretch amd64</distro>
   <url>https://app.vagrantup.com/secgen/boxes/debian_stretch_desktop_kde/versions/1.1/providers/virtualbox.box</url>
-  <ovirt_template>stretch_desktop_kde_301118</ovirt_template>
+  <ovirt_template>stretch_desktop_kde_140319</ovirt_template>
 
   <reference>https://atlas.hashicorp.com/puppetlabs</reference>
   <software_license>various</software_license>

modules/generators/structured_content/hackerbot_config/hbpam/templates/pam_unused_steps

@@ -0,0 +1,56 @@
+The output contains instructions to log the attempt to Syslog (which is what pam\_warn.so does) and deny access (using pam\_deny.so) any attempt to authenticate (the lines starting with "auth"), request access to anything (account), change passwords (password), or starting a session (session).
+
+Note that in the example above, pam\_warn.so returns "PAM\_IGNORE". Therefore the next module pam\_deny.so is started, which returns an error, and the authentication fails.
+
+
+Note that there is likely no lockout for failed password attempts when using su to change user. Confirm this by running this command a few times:
+
+```bash
+su - <%= $main_user %>; su - <%= $main_user %>; su - <%= $main_user %>; su - <%= $main_user %>;
+```
+
+When prompted each time, enter an incorrect password.
+
+Now, let's assume our aim is to add a 5 minute lockout time for when a user enters the wrong password 3 times in a row when using "su". Log-tally lockouts can be achieved using pam\_tally2.
+
+View the man page for this PAM module:
+
+```bash
+man pam\_tally2
+```
+
+Edit /etc/pam.d/su-l, and insert this line as the first module (after the comment at the start of the file):
+
+auth required pam\_tally2.so deny=3 unlock\_time=300
+
+Verify that this change has been successful by running the following command again:
+
+```bash
+su - <%= $main_user %>; su - <%= $main_user %>; su - <%= $main_user %>; su - <%= $main_user %>;
+```
+
+Enter the wrong password the first 3 times, and then the correct password on the 4th attempt.
+
+==Create a new user named "dropbear".==
+
+Finally, apply what you have learned to **configure PAM to only allow:**
+
+-   **The user "dropbear" to login between 9am and 5pm**
+
+-   **And only on a Tuesday**
+
+For testing purposes add another rule that allows a user to log in only 10 minutes from the current time
+
+> Hint: use pam\_time.so and edit /etc/security/time.conf (and read the documentation in the configuration file to figure out how to set the correct limits)
+>
+> Another hint: try the "account" type.
+
+Configure a cron job to force the user to logout at the end of their allowed time
+
+> Hint: as root, "crontab -e" and add a job to run at 5pm on Tuesday killing all of their processes
+>
+> For example, to disconnect dropbear on Wednesday at 4pm, add this line to cron (run "crontab -e", then press "i" to add):
+>
+> 00 16 \* root \* wed skill-KILL-u dropbear
+>
+> Try to figure out how to also send a warning to the user 10 minutes before they are kicked off (Hint: add another cron job, you could send a message via "wall", etc)

modules/utilities/unix/container/docker/docker.pp

@@ -1,10 +1,15 @@
-# install
-include 'docker'
-
-# download (pull) a set of images
 $secgen_params = secgen_functions::get_parameters($::base64_inputs_file)
 $images = $secgen_params['images']
 
+# install
+include 'docker'
+
+# TODO: configure proxy via secgen argument?
+#class { 'docker':
+#  proxy => "http://172.22.0.51:3128",
+#}
+
+# download (pull) a set of images
 $images.each |$image| {
   docker::image { "$image": }
 }

scenarios/labs/containers_lab_env.xml

@@ -0,0 +1,140 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<name>Containers lab environment</name>
+  <author>Z. Cliffe Schreuders</author>
+  <description>A single desktop lab environment with Docker containers, and some downloaded images ready to use. </description>
+
+  <type>lab-environment</type>
+
+	<system>
+		<system_name>desktop</system_name>
+		<base distro="Debian 9" type="desktop" name="KDE"/>
+
+		<input into_datastore="IP_addresses">
+			<value>172.16.0.2</value>
+		</input>
+
+		<!--generate two accounts, YOU and someone else-->
+		<input into_datastore="accounts">
+			<generator type="account">
+				<input into="username">
+					<generator type="random_word_generator">
+						<input into="wordlist">
+							<value>mythical_creatures</value>
+						</input>
+					</generator>
+				</input>
+				<input into="password">
+					<value>tiaspbiqe2r</value>
+				</input>
+				<input into="super_user">
+					<value>true</value>
+				</input>
+				<input into="leaked_filenames">
+					<value></value>
+				</input>
+				<input into="strings_to_leak">
+					<value></value>
+				</input>
+			</generator>
+			<generator type="account">
+				<input into="username">
+					<generator type="random_word_generator">
+						<input into="wordlist">
+							<value>mythical_creatures</value>
+						</input>
+					</generator>
+				</input>
+				<input into="password">
+					<value>test</value>
+				</input>
+				<input into="super_user">
+					<value>false</value>
+				</input>
+				<input into="leaked_filenames">
+					<value></value>
+				</input>
+				<input into="strings_to_leak">
+					<value></value>
+				</input>
+			</generator>
+			<generator type="account">
+				<input into="username">
+					<generator type="random_word_generator">
+						<input into="wordlist">
+							<value>mythical_creatures</value>
+						</input>
+					</generator>
+				</input>
+				<input into="password">
+					<value>test</value>
+				</input>
+				<input into="super_user">
+					<value>false</value>
+				</input>
+				<input into="leaked_filenames">
+					<value></value>
+				</input>
+				<input into="strings_to_leak">
+					<value></value>
+				</input>
+			</generator>
+		</input>
+
+		<input into_datastore="hackerbot_access_root_password">
+			<generator type="strong_password_generator"/>
+		</input>
+
+		<!--Create the users-->
+		<utility module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<datastore>accounts</datastore>
+			</input>
+			<input into="strings_to_leak">
+				<value></value>
+			</input>
+		</utility>
+
+		<utility module_path=".*kde_minimal">
+			<input into="autologin_user">
+				<datastore access="0" access_json="['username']">accounts</datastore>
+			</input>
+			<input into="accounts">
+				<datastore>accounts</datastore>
+			</input>
+			<input into="autostart_konsole">
+				<value>true</value>
+			</input>
+		</utility>
+		<utility module_path=".*handy_cli_tools"/>
+		<utility module_path=".*nmap"/>
+
+		<utility module_path=".*iceweasel"/>
+
+		<utility module_path=".*docker">
+			<input into="images">
+				<value>ubuntu:xenial</value>
+		    <value>debian:stretch</value>
+		    <value>busybox</value>
+			</input>
+		</utility>
+
+		<vulnerability module_path=".*ssh_root_login">
+			<input into="root_password">
+				<datastore>hackerbot_access_root_password</datastore>
+			</input>
+		</vulnerability>
+
+		<network type="private_network" >
+			<input into="IP_address">
+				<datastore access="0">IP_addresses</datastore>
+			</input>
+		</network>
+	</system>
+
+
+</scenario>