This is a set of playbooks for setting up a container security workstation with common tools for doing container security reviews.
There are six playbooks in the repository
- cli_container_sec_workstation.yml - This has only command line tools installed
- gui_container_sec_workstation.yml - This adds tools that have a GUI but relies on a remote X server being available
- desktop_container_sec_workstation.yml - This installs XFCE4 and xrdp so you can get a remote full desktop.
- wsl_container_sec_workstation.yml - This is designed for installation inside a WSL environment that already has Docker installed (via Docker for Windows) and is running as root
- docker_container_sec_workstation.yml - This is designed for creating Docker images for container security testing
- ec2_container_workstation.yml - This is designed for creating an EC2 instance with the tools installed
- Tested on Ubuntu, may work on other deb based distros
- Ansible install
- Probably best to install via pip
- Change the
user
var in the playbook to your username
- You'll need some ansible galaxy modules for this
ansible-galaxy collection install amazon.aws
ansible-galaxy collection install maxhoesel.caddy
Once you've got the pre-requisites installed, you can just run
ansible-playbook [playbook-YAML-file]
and it should setup the machine as needed.
Here the goal is to use the playbook to create a container that can be turned into an image and pushed to a Docker Registry for later use.
ansible-playbook docker_container_sec_workstation.yml
After running the playbook, stop the container
docker stop base
Then commit it to an image, here container_sec_image
docker commit base container_sec_image
Then push to a registry of your choosing
Make sure to look at all the variable specified in the playbook and adapt them as needed. In particular
keypair
- The name of the keypair to use for SSH accesssecurity_group
- The name of the security group to use for the EC2 instancesubnet_id
- The subnet to use for the EC2 instance. this is in the region file in ansible_vars.
If you want a valid TLS cert and have a DNSimple account then uncomment the relevant lines in the playbook, and set
dnsimple_api_key
to your DNSimple API token.dnsimple_account_email
to the email address associated with your DNSimple accountdns_domain
to the domain you want a record created at.
Then uncomment the task for setup of the DNS record in the playbook.
- Auger
- Docker
- eathar
- etcdctl
- gvisor
- helm
- kind
- kubectl
- kubens & kubectx
- kube-ps1
- nmap
- regclient
- rbac-tool
- teisteanas
- tocan
- trivy
- whaler
- dive
If you install the GUI or desktop playbooks then it will add some handy tools which require a GUI. You can then access the VM from a machine with an X Server (e.g. MobaXterm or XMing on Windows) and access these additional tools
- firefox
- octant
- Visual Studio Code , with the Docker, Kubernetes and YAML plugins
If you install the EC2 playbook it will setup a Code-Server instance on 443/TCP and then hook-up Caddy to it to provide a reverse proxy with TLS.
- Add More tools
- Ensure all tools from remote sources have signature/checksum checking
- Make the EC2 install more flexible, less hardcoded