-
Notifications
You must be signed in to change notification settings - Fork 319
Utility Modules
Utilities, in relation to SecGen, are secure programs that are not linked to a network service socket.
Utilities refer to programs that add extra depth to the generated image, for example Java or Wireshark.
Utility modules are SecGen modules that install and configure secure utilities on the generated virtual machine.
Unlike services, utilities are not installed on network service sockets, thus can only be accessed from within the generated machine itself.
Utility modules are created to add more depth and complexity to generated machines, as well as ensuring the installed utilities do not inherently create more vulnerabilities.
Utility modules are stored in the utilities directory, a simplified SecGen file structure to the utilities directory is below:
/SecGen
/modules
/utilities
New utility modules can be created via importing puppet modules from places like puppetforge, and then modifying them into SecGen's module structure.
The utilities folder is structured as shown below:
/utilities
/unix
/{utility_type}
/{utility_name_#1}
/{utility_name_#2}
/windows
/{utility_type}
/{utility_name_#1}
/{utility_name_#2}
Where:
{utility_type}:
respective utility type, e.g. languages or firewall
{utility_name}:
respective utility module root directory, e.g. java or iptables
A full overview of SecGen's module structure can be found here.
A template structure of the utility modules secgen_metadata.xml can be found here.
SecGen uses Puppet to provision its modules to the generated virtual machine. This guide will detail the development process and provisioning of the Python puppet module found on the Puppet Forge
Although this tutorial uses the linux terminal, other ways exists of doing the same steps. Allowing for terminal commands however, removes software and gui requirements for users.
Puppet modules can be found on the Puppet Forge - The example used in this tutorial is zlieslie/python.
First, download the puppet module to your development machine
wget https://forge.puppet.com/v3/files/zleslie-python-2.2.1.tar.gz
Next, create a directory in the correct directory path for your selected module, in this case we will be installing a secure utility, so it will be under the /utility directory.
This utility can be stored in the languages subdirectory
mkdir SecGen/modules/services/unix/languages
However, if no existing subdirectory exists for the utility type, the subdirectory can be generatred with this command
mkdir SecGen/modules/services/unix/{new_utility_type}
Next, unzip the contents of the puppet module downloaded earlier, into the newly created directory
tar -xvf zleslie-python-2.2.1.tar.gz -C ~/{path_to_SecGen}/SecGen/modules/utilities/unix/languages/
Finally, rename the extracted file into a simpler name
mv zleslie-python-2.2.1 python
Now your services directory structure should look something like this
/SecGen
/modules
/utilities
/unix
/languages
/python
/lib
/spec
/manifests
/templates
/tests
In order to execute the module, a manifest file will need to be created, this manifest should have the same name as the module.
The puppet manifest should call the class for the module, this will differ between puppet modules and is usually included in the module documentation, for this example, we are going to install apache with the default configuration
class { 'python': }
The SecGen metadata is used to store information about the puppet module that is used in the SecGen module selection process, see the current XML Schema for an up-to-date representation as to what this should look like.
The module can be tested by strictly specifying that this module be included in the scenario.xml
<utility type="languages" name="python"></utility>
or
<utility module_path="modules/utilities/unix/languages/python"></utility>
When SecGen is run, there should be some verbose output from vagrant specifying that python has been installed.