Merge pull request #8 from Lunalectric/update-minikube-demo

update minikube demo and cnspec commands
mondoohq · Feb 6, 2023 · 00e9441 · 00e9441
2 parents 2fe585a + 5a0107d
commit 00e9441
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 16 deletions.
diff --git a/aws/README.md b/aws/README.md
@@ -711,26 +711,26 @@ ip-10-0-6-13.us-east-2.compute.internal
 ### Scan kubernetes manifest
 
 ```bash
-mondoo scan k8s --path ../assets/dvwa-deployment.yml
+cnspec scan k8s --path ../assets/dvwa-deployment.yml
 ```
 
 ### Scan container image from registry
 
 ```bash
-mondoo scan cr docker.io/pmuench/dvwa-container-escape:latest
+cnspec scan container docker.io/pmuench/dvwa-container-escape:latest
 ```
 
 
 ### Scan kubernetes eks cluster
 
 ```bash
-mondoo scan k8s
+cnspec scan k8s
 ```
 
 ### Shell to kubernetes eks cluster
 
 ```bash
-mondoo shell -t k8s
+cnspec shell k8s
 ```
 
 List all of the pods and all of their settings:
@@ -788,17 +788,17 @@ k8s.pods.where(containers { securityContext['allowPrivilegeEscalation'] != true
 ```bash
 export AWS_REGION=us-east-2
 
-mondoo scan -t aws-ec2-ssm://ssm-user@<AWS Instance ID>
+cnspec scan aws ec2 ssm ssm-user@<AWS Instance ID>
 
-mondoo shell -t aws-ec2-ssm://ssm-user@<AWS Instance ID>
+cnspec shell aws ec2 ssm ssm-user@<AWS Instance ID>
 ```
 
 # scan/shell kubernetes via aws api
 
 ```bash
 export AWS_REGION=us-east-2
 
-mondoo shell -t aws
+mondoo shell aws
 
 aws.eks.clusters { * }
 

diff --git a/aws/main.tf b/aws/main.tf
@@ -267,7 +267,7 @@ data "aws_ami" "kali_linux" {
 
   filter {
     name   = "name"
-    values = ["kali-linux-2022.*"]
+    values = ["kali-rolling-amd64-2022*"]
   }
 
   filter {
@@ -295,6 +295,15 @@ module "ec2_instance" {
   subnet_id              = element(module.vpc.public_subnets, 0)
   user_data              = file("${path.module}/templates/setup_metapreter")
 
+  root_block_device = [
+    {
+      encrypted             = true
+      delete_on_termination = true
+      volume_type = "gp2"
+      volume_size = 30
+    },
+  ]
+
   tags = merge(
     local.default_tags, {
       "Name" = "kali-linux-hacker-instance-${random_string.suffix.result}"

diff --git a/minikube/README.md b/minikube/README.md
@@ -73,7 +73,7 @@ terraform apply -auto-approve
 6. Create Hack-Write-up as Markdown
 
 ```bash
-terraform output | sed "/^EOT/c\ " | sed "/hack_write_up = <<EOT/c\ " | sed 's/\$\\{CSRF\\}/\${CSRF}/g' > Hack-writeup.md
+terraform output | sed "/^EOT/c\ " | sed "/hack_write_up = <<EOT/c\ " | sed 's/\$\\{/\${/g' | sed 's/\$\\}/\$}/g' > Hack-writeup.md
 ```
 
 Once the provisioning completes you will see something like this:

diff --git a/minikube/main.tf b/minikube/main.tf
@@ -101,11 +101,11 @@ resource "aws_iam_role_policy_attachment" "dev-resources-ssm-policy" {
 
 data "aws_ami" "kali_linux" {
   most_recent = true
-  owners      = ["679593333241", "769304176199"]
+  owners      = ["679593333241"]
 
   filter {
     name   = "name"
-    values = ["kali-linux-2022.*"]
+    values = ["kali-rolling-amd64-2022*"]
   }
 
   filter {
@@ -159,6 +159,15 @@ module "kali" {
   subnet_id              = element(module.vpc.public_subnets, 0)
   user_data              = templatefile("${path.module}/templates/change-password.tpl", { pass_string = "${random_string.suffix.result}" })
 
+  root_block_device = [
+    {
+      encrypted             = true
+      delete_on_termination = true
+      volume_type = "gp2"
+      volume_size = 30
+    },
+  ]
+
   tags = merge(
     local.default_tags, {
       "Name" = "${random_string.suffix.result}-kali-linux-hacker-instance"

diff --git a/minikube/multi_deploy.sh b/minikube/multi_deploy.sh
@@ -59,8 +59,7 @@ do
   terraform plan
   terraform apply -auto-approve
   terraform output > terraform-run.log
-  sed "/^EOT/c\ " terraform-run.log | sed "/hack_write_up = <<EOT/c\ " | sed 's/\\{/{/g' > "$c.md"
-
+  sed "/^EOT/c\ " terraform-run.log | sed "/hack_write_up = <<EOT/c\ " | sed 's/\$\\{/\${/g' | sed 's/\$\\}/\$}/g' > "$c.md"
   cd ../../
 
 	sleep 1

diff --git a/minikube/output.tf b/minikube/output.tf
@@ -75,7 +75,7 @@ password: ${random_string.suffix.result}
 
 ```bash
 sudo apt update
-sudo apt install -y wordlists gobuster dirsearch metasploit-framework golang patator
+sudo apt install -y wordlists gobuster dirsearch metasploit-framework golang patator vim
 sudo gem install webrick
 go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
 
@@ -384,7 +384,7 @@ policies:
         email: [email protected]
     specs:
       - asset_filter:
-          query: platform.name == 'kubernetes'
+          query: asset.platform == 'k8s-cluster' || asset.platform == 'k8s-pod'
         scoring_queries:
           example-01:
         data_queries:
@@ -404,7 +404,7 @@ queries:
 - execute the policy with cnspec
 
 ```bash
-cnspec scan k8s --policy-bundle ./policy.yaml
+cnspec scan k8s --policy-bundle ./policy.yaml --discover clusters -o full
 ```
 
 ## Service Account Hack