### DevSecOps Studio Installation and Setup Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md This snippet outlines the steps to clone the DevSecOps Studio repository, install Ansible dependencies, and initiate the environment setup using Vagrant. It highlights the ease of setting up the entire DevSecOps environment with just a few commands. ```bash # Download the code $ git clone https://github.com/hysnsec/DevSecOps-Studio.git && cd DevSecOps-Studio # Download the ansible dependency roles $ ansible-galaxy install -r requirements.yml -p provisioning/roles # Setup the environment, takes an hour or less based on your internet speed. $ vagrant up ``` -------------------------------- ### Basic Git Workflow Example Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/contributing.md Demonstrates a typical Git workflow for contributing, including adding a remote upstream, creating a new feature branch, committing changes, and pushing to a fork. ```shell git remote add upstream https://github.com/paulveillard/ git checkout -b my-new-feature master git commit -a git push origin my-new-feature ``` -------------------------------- ### Environment Setup: Vagrant and VirtualBox Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/requirements.txt Instructions for installing Vagrant and VirtualBox, essential tools for managing virtualized development environments in this project. ```bash # vagrant 2.2.7 # brew install vagrant # VirtualBox 6.1.4 # VirtualBox Extension Pack 6.1.4 ``` -------------------------------- ### Ansible Playbook Example for Jenkins Setup Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.jenkins/README.md An example Ansible playbook demonstrating the setup of Jenkins and its Java dependency. It specifies the hosts to target and includes the necessary roles for Java and Jenkins installation. ```yaml - hosts: jenkins vars: jenkins_hostname: jenkins.example.com roles: - role: geerlingguy.java - role: geerlingguy.jenkins become: true ``` -------------------------------- ### Example Playbook for Logstash Installation Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.logstash/README.md An example Ansible playbook that demonstrates how to install Logstash along with its dependencies like Java and Elasticsearch. It includes pre-tasks for setting up Java packages on Debian/Ubuntu systems. ```ansible - hosts: search pre_tasks: - name: Use Java 8 on Debian/Ubuntu. set_fact: java_packages: - openjdk-8-jdk when: ansible_os_family == 'Debian' roles: - geerlingguy.java - geerlingguy.elasticsearch - geerlingguy.logstash ``` -------------------------------- ### Linux DevSecOps Studio Dependencies Installation Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Provides methods for installing DevSecOps Studio dependencies on Linux. It includes a script-based installation and manual installation steps for Virtualbox using apt-get. ```shell # Script-based installation curl -O https://raw.githubusercontent.com/hysnsec/DevSecOps-Studio/master/setup/Linux_DevSecOps_Setup.sh && chmod +x Linux_DevSecOps_Setup.sh && ./Linux_DevSecOps_Setup.sh; # Manual installation of Virtualbox using apt-get sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian xenial contrib" >> /etc/apt/sources.list.d/virtualbox.list' wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - sudo apt update sudo apt install virtualbox ``` -------------------------------- ### Local Testing Setup and Execution Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/testing.md Commands to set up a Python virtual environment, install dependencies like Docker, Molecule, and Ansible, and then execute Molecule commands to create, provision, and verify a Docker container for DevSecOps testing. ```bash virtualenv env source/env/bin/activate (env) $ pip install docker molecule==2.19 (env) $ molecule create -s devsecops (env) $ molecule converge -s devsecops (env) $ molecule verify -s devsecops ``` -------------------------------- ### Install Chocolatey and Dependencies (Windows) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Installs the Chocolatey package manager for Windows and then uses it to install Vagrant, VirtualBox, and Git. The first command installs Chocolatey, and the second installs the specified packages. ```powershell "@""%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin" ``` ```powershell choco install vagrant virtualbox git -y ``` -------------------------------- ### Vagrant and Virtualbox Installation (General) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md General instructions for installing Vagrant and Virtualbox, referencing their respective download pages. These are core dependencies for setting up the DevSecOps Studio environment. ```APIDOC Vagrant: Installation: Download from https://www.vagrantup.com/downloads.html Virtualbox: Installation: Download from https://www.virtualbox.org/wiki/Downloads ``` -------------------------------- ### Start Vagrant Environment Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Starts the virtual machine environment defined by Vagrant. This command provisions and boots the necessary virtual machines for the DevSecOps Studio. ```bash vagrant up ``` -------------------------------- ### Install analyze_hosts.py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/security-scripts/README.md Steps to clone the repository and install the Python dependencies for `analyze_hosts.py` using pip. ```bash git clone https://github.com/PeterMosmans/security-scripts && \ cd security-script && \ pip3 install -r requirements.txt ``` -------------------------------- ### Install Vagrant (Debian/Ubuntu) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Downloads and installs a specific version of Vagrant using dpkg. This is a common method for installing Debian packages. ```bash VAGRANT_VERSION=2.2.1 wget https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_x86_64.deb sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb ``` -------------------------------- ### Ansible Installation (General) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md General instructions for installing Ansible, referencing its official documentation. Ansible is used for OS hardening and configuration within the DevSecOps Studio environment. ```APIDOC Ansible: Installation: Refer to http://docs.ansible.com/ansible/latest/intro_installation.html#installation ``` -------------------------------- ### Ansible Role: Docker Installation and Configuration Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.docker/README.md This snippet demonstrates how to use the Ansible role to install and configure Docker. It shows setting role variables for Docker edition, service state, Compose installation, and repository configurations for both APT and YUM based systems. It also includes an example of adding users to the docker group. ```yaml - hosts: all vars: # Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). docker_edition: 'ce' docker_package: "docker-{{ docker_edition }}" docker_package_state: present docker_service_state: started docker_service_enabled: true docker_restart_handler_state: restarted docker_install_compose: true docker_compose_version: "1.25.4" docker_compose_path: /usr/local/bin/docker-compose # For Debian/Ubuntu systems docker_apt_release_channel: stable docker_apt_arch: amd64 docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" docker_apt_ignore_key_error: True docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg # For RedHat/CentOS systems docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo docker_yum_repo_enable_edge: '0' docker_yum_repo_enable_test: '0' docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg docker_users: - user1 - user2 roles: - geerlingguy.docker ``` -------------------------------- ### Example Playbook for Elasticsearch Installation Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.elasticsearch/README.md This snippet demonstrates how to use the Elasticsearch Ansible role in a playbook. It includes the prerequisite Java role and the Elasticsearch role itself, targeting hosts tagged as 'search'. ```ansible - hosts: search roles: - geerlingguy.java - geerlingguy.elasticsearch ``` -------------------------------- ### MacOS DevSecOps Studio Dependencies Installation Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Instructions for installing DevSecOps Studio prerequisites on MacOS using Homebrew. It covers installing Homebrew itself, Vagrant, Virtualbox, and Ansible. ```shell # Install Homebrew (Optional) /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" # Install Vagrant brew cask install vagrant # Install Virtualbox brew cask install virtualbox # Install Ansible brew install ansible ``` -------------------------------- ### Install Ansible using pip Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Installs Ansible using pip, the Python package installer. This command assumes Python 3 and pip are already installed. ```python pip install ansible ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/gitlab-runner/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Install Python 3 and Ansible (Windows) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Installs Python 3 (which includes pip) using Chocolatey and then installs Ansible using pip. This is a common approach for setting up Python development environments on Windows. ```bash choco install python3 -y #Installs python 3, includes pip under scripts folder of python3x pip install ansible ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/gitlab/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/prod/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/devsecops/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/jenkins/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Install docker-py Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/provisioning/molecule/elk/INSTALL.rst Installs the docker-py Python package, which is a requirement for the project. This package allows Python applications to interact with the Docker Engine. ```bash sudo pip install docker-py ``` -------------------------------- ### Ansible Example Playbook Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.ruby/README.md An example of how to include and use the Ruby Ansible role in a playbook. ```ansible - hosts: server roles: - role: geerlingguy.ruby ``` -------------------------------- ### Nginx Extra Configuration Options Example Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.nginx/README.md Example of extra configuration options that can be inserted at the top of the Nginx configuration file. This example sets the worker resource limit for open files. ```nginx worker_rlimit_nofile 8192; ``` -------------------------------- ### VirtualBox Guest Machine Aborted Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/troubleshooting.md Addresses the issue where VirtualBox crashes guest machines with an 'aborted' status. The solution is to ensure sufficient free memory (4GB) and re-run `vagrant up`. ```bash vagrant up ``` -------------------------------- ### Vagrant Up Playbook Execution Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/troubleshooting.md Illustrates a common point of failure during `vagrant up` by showing a task execution log. It advises users to note the role being executed when errors occur. ```text > TASK [**jenkins**: Install Jenkins] ``` -------------------------------- ### Install Ansible Galaxy Dependencies Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Installs Ansible roles and collections specified in the requirements.yml file. This is a crucial step for Ansible to function correctly with the project's configurations. ```bash $ ansible-galaxy install -r requirements.yml ``` -------------------------------- ### Gitlab-runner Ansible Playbook Example Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/gitlab-runner/README.md Example Ansible playbook to configure and register a Gitlab runner. It specifies the role, sets variables like coordinator URL, tags, and certificate path, and prompts for the registration token. ```yaml --- - hosts: gitlab-runner become: true roles: - gitlab-runner vars: gitlab_runner_coordinator_url: 'https://gitlab.example.com/ci' gitlab_runner_tags: [ 'docker' ] gitlab_runner_coordinator_cert_path: "./certs/gitlab.example.com.crt" vars_prompt: - name: "gitlab_runner_registration_token" prompt: "Registration token is" tags: - runner ``` -------------------------------- ### Clone Linux Security Scripts Repository Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/linux-security-scripts/README.md This command downloads the entire repository of Linux security scripts from GitHub to your local machine. No further installation is required. ```bash git clone https://github.com/StrangeRanger/linux-security-scripts ``` -------------------------------- ### OWASP AppSec Rugged DevOps Pipeline Project Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/devsecops-reference-architectures/README.md This project provides information and a sample implementation to help users set up their own AppSec Pipeline. It includes references to various security tools and Docker containers for a complete setup. ```APIDOC Project: OWASP AppSec Rugged DevOps Pipeline Project Year: 2015 Description: Increases the speed and automation of your AppSec program using sample implementation, documentation, and references. Source: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline Repository: https://github.com/appsecpipeline/AppSecPipeline-Specification Software Stack: - Bandit: Static analysis security tool for Python. - OWASP Dependency-Check: Checks for project components with known vulnerabilities. - Checkmarx: Application security testing platform. - SSLLabs: Analyzes the configuration of public SSL web servers. - Arachni: Open-source web application security scanner framework. - Wappalyzer: Identifies technologies used on websites. - Snyk: Developer platform for security. - WPScan: WordPress security scanner. - Brakeman: Ruby on Rails vulnerability scanner. - OWASP ZAP: Integrated penetration testing tool for finding vulnerabilities in web applications. - Retire.js: Scans your project for outdated and vulnerable JavaScript libraries. ``` -------------------------------- ### Ansible Playbook - Java 8 Installation (Ubuntu) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.java/README.md This playbook demonstrates installing OpenJDK 8 on Ubuntu systems. It includes adding a PPA for Java 8 and then applying the Ansible role with the appropriate package. ```ansible - hosts: server tasks: - name: installing repo for Java 8 in Ubuntu apt_repository: repo='ppa:openjdk-r/ppa' - hosts: server roles: - role: geerlingguy.java when: "ansible_os_family == 'Debian'" java_packages: - openjdk-8-jdk ``` -------------------------------- ### Ansible Galaxy Role Installation Error Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/troubleshooting.md Troubleshoots errors encountered during `ansible-galaxy install` command, specifically the SSL handshake timeout. It suggests re-running the command as a potential fix. ```bash $ ansible-galaxy install -r requirements.yml -p provisioning/roles > downloading role 'pip', owned by geerlingguy > > __ERROR!__ Unexpected Exception: > ``` -------------------------------- ### Clone DevSecOps Studio Repository Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/README.md Clones the DevSecOps Studio repository from GitHub using Git. This is the first step in setting up the project locally. ```bash $ git clone https://github.com/hysnsec/DevSecOps-Studio.git ``` -------------------------------- ### Example Ansible Playbook to Use Pip Role Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.pip/README.md Demonstrates how to include the Pip Ansible role in a playbook. It shows setting the `pip_install_packages` variable to install specific Python packages like 'docker' and 'awscli' across all hosts. ```ansible - hosts: all vars: pip_install_packages: - name: docker - name: awscli roles: - geerlingguy.pip ``` -------------------------------- ### Security Scan Results JSON Format Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/security-scripts/README.md An example JSON structure representing the results of a security scan, including arguments used, start and end times, and detailed findings for each target IP address, such as open ports and alerts. ```json { "arguments": { "target": "1.2.3.1/30", "version": false, "dry_run": false, "inputfile": "0frnfb4e", "output_file": "output.txt", "compact": true, "queuefile": "analyze_hosts.queue", "resume": false, "force": false, "debug": false, "verbose": false, "quiet": false, "allports": false, "no_portscan": false, "port": null, "up": false, "udp": false, "framework": false, "http": true, "json": "results.json", "ssl": true, "nikto": true, "sslcert": false, "trace": false, "whois": false, "proxy": null, "timeout": true, "threads": 5, "user_agent": "analyze_hosts", "password": null, "username": null, "maxtime": 1200, "testssl.sh": true, "curl": false, "wpscan": true, "droopescan": true, "nmap": true, "nmap_arguments": "-sV --open -sS --script=banner,dns-nsid,dns-recursion,http-cisco-anyconnect,http-php-version,http-title,http-trace,ntp-info,ntp-monlist,nbstat,rdp-enum-encryption,rpcinfo,sip-methods,smb-os-discovery,smb-security-mode,smtp-open-relay,ssh2-enum-algos,vnc-info,xmlrpc-methods,xmpp-info" }, "date_start": "2020-05-26 31:33:06", "results": { "1.2.3.1": { "ports": [ 53 ] }, "1.2.3.2": { "ports": [] }, "1.2.3.3": { "ports": [ 80, 443 ], "alerts": [ ":443 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches" ] }, "1.2.3.4": { "ports": [ 80, 443 ], "alerts": [ ":443 + OSVDB-3092: /download/: This might be interesting...", ":443 + OSVDB-3092: /status/: This might be interesting...", ":443 + OSVDB-4231: /DHrPp.xml: Coccoon from Apache-XML project reveals file system path in error messages.", ":443 + OSVDB-3092: /upgrade.php: upgrade.php was found." ] } }, "date_finish": "2020-05-26 31:33:07" } ``` -------------------------------- ### DevSecOps SDLC Overview Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Illustrates the core stages involved in the software development lifecycle (SDLC) and the corresponding security activities required at each stage within a DevSecOps framework. ```markdown >DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo. It enables “software, safer, sooner”—the DevSecOps motto–by automating the delivery of secure software without slowing the software development cycle. Across the entire software development lifecycle, these are the core stages involved, as well as the security activities required at each stage.

Sublime's custom image

``` -------------------------------- ### DevSecOps Manifesto and Guidelines Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Provides links to the DevSecOps Manifesto and various guidelines, including best practices for DevSecOps, security champions, web development security, and DAST with OWASP Zap. ```markdown ## `Manifesto` * [DevSecOps Manifesto](https://www.devsecops.org/) * [Best practices for DevSecOps](https://www.ibm.com/cloud/learn/devsecops#toc-best-pract-yeQPSJ8K) ## `Guidelines` While we're not into the paper-way of doing things, sharing sound advice and good recommendations can make software stronger. We aim to make these guidelines better through code. * [Introduction to DevSecOps - DZone Refcard](https://dzone.com/refcardz/introduction-to-devsecops) * [Security Champions Playbook](https://github.com/c0rdis/security-champions-playbook) * [Security Guide for Web Developers](https://github.com/FallibleInc/security-guide-for-developers) * [A practical guide to build DAST with OWASP Zap](https://github.com/Soluto/owasp-zap-glue-ci-images) * [Introduction to security testing and tools](https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/) * [DevSecOps Hub](https://snyk.io/devsecops/) ``` -------------------------------- ### DevSecOps Podcasts Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md A collection of podcasts focusing on DevOps and Security. ```markdown * [Arrested DevOps](https://www.arresteddevops.com/) * [Brakeing Down Security Podcast](http://www.brakeingsecurity.com/) * [Darknet Diaries](https://darknetdiaries.com) * [Defensive Security Podcast](http://www.defensivesecurity.org/) * [DevOps Cafe](http://devopscafe.org/) * [Down The Security Rabbithole](http://podcast.wh1t3rabbit.net/) * [Food Fight Show](http://foodfightshow.org/) * [OWASP 24/7](https://www.owasp.org/index.php/OWASP_Podcast) * [Risky Business](http://risky.biz/) * [Social Engineering Podcast](http://www.social-engineer.org/category/podcast/) * [Software Engineering Radio](http://www.se-radio.net/team/kim-carter/) * [Take 1 Security Podcast](https://danielmiessler.com/podcast/) * [Tenable Security Podcast](http://www.tenable.com/podcast) * [The Secure Developer](http://www.heavybit.com/library/podcasts/the-secure-developer/) * [Trusted Sec Podcast](https://www.trustedsec.com/podcast/) ``` -------------------------------- ### DevSecOps Definition and Benefits Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Explains what DevSecOps is, its core principles, and the key benefits it offers, such as speed, improved security, and automation. ```markdown ## `What is DevSecOps` [DevSecOps](https://www.ibm.com/cloud/learn/devsecops)—short for *development, security, and operations*—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. >DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo. It enables “software, safer, sooner”—the DevSecOps motto–by automating the delivery of secure software without slowing the software development cycle. DevSecOps is important for the following key reasons: *speed, and security* * Rapid, cost-effective software delivery * Improved, proactive security * Accelerated security vulnerability patching * Automation compatible with modern development * A repeatable and adaptive process ``` -------------------------------- ### Retrieve Jenkins Initial Admin Password Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/jenkins.md This snippet shows how to SSH into the Jenkins server managed by Vagrant and retrieve the initial administrator password stored in a file. ```bash # SSH into jenkins box, ensure you are DevSecOps Studio directory. $ vagrant ssh jenkins # Get the initial admin password $ sudo cat /var/lib/jenkins/secrets/initialAdminPassword e7352877844e454786b9c0bf11f292a1 ``` -------------------------------- ### Ansible Role: Ruby Variables Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.ruby/README.md Defines configurable variables for the Ruby Ansible role, including installation paths, Bundler installation, gem installation, and source compilation options. ```ansible workspace: /root ruby_install_bundler: true ruby_install_gems: [] ruby_install_gems_user: username ruby_install_from_source: false ruby_download_url: http://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.4.4.tar.gz ruby_version: 2.5.1 ruby_source_configure_command: "./configure --enable-shared" ruby_rubygems_package_name: rubygems ``` -------------------------------- ### Run testssl.sh via Docker Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/security-scripts/README.md This command overrides the entrypoint of the `analyze_hosts` Docker image to specifically run the `testssl.sh` tool. ```docker docker run --rm --entrypoint 'testssl.sh' gofwd/analyze_hosts ``` -------------------------------- ### DevSecOps Books Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Books that focus on DevSecOps, emphasizing security from the outset. ```markdown * [DevOpsSec](http://www.oreilly.com/webops-perf/free/devopssec.csp) * [Docker Securitiy - Quick Reference](https://binarymist.io/publication/docker-security/) * [Holistic Info-Sec for Web Developers](https://leanpub.com/b/holisticinfosecforwebdevelopers) * [Securing DevOps](https://securing-devops.com/book) * [The DevOps Handbook (Section VI)](https://www.oreilly.com/library/view/the-devops-handbook/9781457191381/) ``` -------------------------------- ### DevSecOps Tools - Hunting Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Tools for identifying security anomalies and creating automation rules. ```markdown * [GRR](https://github.com/google/grr) * [kube-hunter](https://github.com/aquasecurity/kube-hunter) * [mig](https://github.com/mozilla/mig) * [Mirador](http://fathom.info/mirador/) * [moloch](https://github.com/aol/moloch) * [MozDef](https://github.com/mozilla/MozDef) * [osquery](https://osquery.io/) * [OSSEC](http://ossec.github.io/) * [osxcollector](https://github.com/Yelp/osxcollector) ``` -------------------------------- ### DevSecOps Studio Overview Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/devsecops-reference-architectures/README.md DevSecOps Studio is a self-contained environment designed to simplify the learning and implementation of DevSecOps concepts. It aims to reduce the setup time and potential errors associated with manual environment configuration, making it easier for individuals to focus on learning and teaching DevSecOps practices. ```APIDOC DevSecOps Studio: Purpose: Self-contained DevSecOps environment for learning and demos. Key Features: - Easy to get started - Mostly automatic setup - Battle-tested Software Stack: - OWASP ZAP - Gauntlt - Bandit - Brakeman - Metasploit - Nmap - Findbugs - DevSec Ansible OS Hardening - Inspec - Docker - GitLab - Jenkins - Ansible - Elastic ``` -------------------------------- ### DevSecOps Training Labs Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/README.md Hands-on learning opportunities to develop skills in Dev, Sec, and Ops, essential for DevSecOps practices. ```en * [DevSecOps Bootcamp](https://github.com/devsecops/bootcamp) * [Exercism](http://exercism.io/) * [Infoseclabs](http://www.infoseclabs.net) * [Infrastructure Monitoring](https://github.com/appsecco/defcon24-infra-monitoring-workshop) * [Pentester Lab](https://pentesterlab.com/exercises/) * [Vulnhub](https://www.vulnhub.com/) ``` -------------------------------- ### Install GitLab Dependencies on Debian Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/notes.md This snippet installs the `gnupg2` package on Debian-based systems, which is a dependency for GitLab installation as per the geerlingguy/ansible-role-gitlab issue #145. It uses the `apt` module to ensure the package is present. ```yaml - name: Install GitLab dependencies (Debian). apt: name: gnupg2 state: present when: ansible_os_family == 'Debian' ``` -------------------------------- ### Disable Jenkins Setup Wizard Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/docs/notes.md This snippet demonstrates how to disable the Jenkins setup wizard by executing a Groovy script via the `jenkins_script` module in Ansible. It checks if the initial setup is complete and, if not, marks it as completed. ```yaml - name: Fix a defect to disable setup wizard jenkins_script: script: | import static jenkins.model.Jenkins.instance as jenkins import jenkins.install.InstallState if (!jenkins.installState.isSetupComplete()) { InstallState.INITIAL_SETUP_COMPLETED.initializeState() } user: "{{ admin.userid }}" password: "{{ admin.password }}" ``` ```yaml - name: Fix a defect to disable setup wizard jenkins_script: script: | import static jenkins.model.Jenkins.instance as jenkins import jenkins.install.InstallState if (!jenkins.installState.isSetupComplete()) { InstallState.INITIAL_SETUP_COMPLETED.initializeState() } user: "{{ jenkins_admin_username }}" password: "{{ jenkins_admin_password }}" ``` -------------------------------- ### Install Gitlab-runner Ansible Role Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/gitlab-runner/README.md Installs the Gitlab-runner Ansible role from Ansible Galaxy. ```bash ansible-galaxy install Furdarius.gitlab-runner ``` -------------------------------- ### Nikto Scan Configuration with Settings File Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/security-scripts/README.md Demonstrates how to use a YAML settings file to configure Nikto scan parameters, including allowed ports, Nikto plugins, tuning, and output formats, to suppress false positives and customize scans. ```yaml targets: 127.0.0.1: allowed_ports: [22, 80, 443] ports: - port: 80 nikto_plugins: "@@ALL" nikto_tuning: "x1" nikto_output: "report.html" - port: 443 testssl_untrusted: true testssl: - "--ccs-injection" - "--ticketbleed" - "--robot" ``` -------------------------------- ### Install Nginx with Ansible Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.nginx/README.md This Ansible role installs Nginx from official repositories on various operating systems including RedHat/CentOS, Debian/Ubuntu, Archlinux, FreeBSD, and OpenBSD. It ensures the latest version is installed and suggests post-installation configuration for virtual hosts. ```ansible # Example of how to use this role in a playbook: - hosts: webservers become: yes roles: - role: geerlingguy.nginx ``` -------------------------------- ### Ansible Playbook - Default Java Installation Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.java/README.md This playbook demonstrates the default usage of the Ansible role for Java, typically installing OpenJDK 7. ```ansible - hosts: servers roles: - geerlingguy.java ``` -------------------------------- ### Ansible Playbook - Java 8 Installation (RedHat/CentOS) Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/DevSecOps-Studio/roles/geerlingguy.java/README.md This playbook shows how to install OpenJDK 8 on RedHat/CentOS systems by specifying the `java_packages` variable. ```ansible - hosts: server roles: - role: geerlingguy.java when: "ansible_os_family == 'RedHat'" java_packages: - java-1.8.0-openjdk ``` -------------------------------- ### Host Analysis Script Usage Source: https://github.com/paulveillard/cybersecurity-devsecops/blob/main/security-scripts/README.md Provides detailed usage instructions for the analyze_hosts.sh script, covering scanning options, port selection, logging, and default program configurations. It also explains how to specify target hosts. ```bash ./analyze_hosts.sh [OPTION]... [HOST] Scanning options: -a, --all perform all basic scans --max perform all advanced scans (more thorough) -b, --basic perform basic scans (fingerprint, ssl, trace) results of HOST matches regexp FILTER --dns test for recursive query and version string -f perform web fingerprinting (all webports) --fingerprint perform all web fingerprinting methods -h, --header show webserver headers (all webports) -n, --nikto nikto webscan (all webports) -p nmap portscan (top 1000 TCP ports) --ports nmap portscan (all ports, TCP and UDP) --redirect test for open secure redirect -s check SSL configuration --ssl perform all SSL configuration checks --sslcert show details of SSL certificate --timeout=SECONDS change timeout for tools (default 60) --ssh perform SSH configuration checks -t check webserver for HTTP TRACE method --trace perform all HTTP TRACE method checks -w, --whois perform WHOIS lookup for (hostname and) IP address -W confirm WHOIS results before continuing scan --filter=FILTER only proceed with scan of HOST if WHOIS --wordlist=filename scan webserver for existence of files in filename Port selection (comma separated list): --webports=PORTS use PORTS for web scans (default 80,443,8080) --sslports=PORTS use PORTS for ssl scans (default 443,465,993,995,3389) Logging and input file: -d, --directory=DIR location of temporary files (default /tmp) -i, --inputfile=FILE use a file containing hostnames -l, --log log each scan in a separate logfile --nocolor don't use fancy colors in screen output -o, --output=FILE concatenate all OK and WARNING messages into FILE -q, --quiet quiet -v, --verbose show server responses Default programs: --cipherscan=FILE location of cipherscan (default cipherscan) --openssl=FILE location of openssl (default openssl) -u update this script (if it's a cloned repository) --update force update (overwrite all local modifications) --version print version information and exit BLUE: INFO, status messages GREEN: OK, secure settings RED: WARNING, possible vulnerabilities [HOST] can be a single (IP) address, an IP range, eg. 127.0.0.1-255 or multiple comma-separated addressess ```