merge upstream master

aws/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml

@@ -17,7 +17,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
@@ -40,16 +40,40 @@ variables:
     type_hint: password
   - name: aws_region
     description: AWS Region
-    default: us-east-2
-    type_hint: text
+    type_hint: dropdown
+    dd_list:
+      - key: "us-west-1--- N.California"
+        value: "us-west-1"
+      - key: "us-west-2--- Oregon"
+        value: "us-west-2"
+      - key: "us-east-1--- N.Virginia"
+        value: "us-east-1"
+      - key: "us-east-2--- Ohio"
+        value: "us-east-2"
+      - key: "ca-central-1--- Canada Central"
+        value: "ca-central-1"
+      - key: "eu-west-1--- Ireland"
+        value: "eu-west-1"
+      - key: "eu-west-2--- London"
+        value: "eu-west-2"
+      - key: "eu-central-1--- Frankfurt"
+        value: "eu-central-1"
+      - key: "ap-east-1--- Hong Kong"
+        value: "ap-east-1"
+      - key: "ap-northeast-1--- Tokyo"
+        value: "ap-northeast-1"
+      - key: "ap-southeast-1--- Singapore"
+        value: "ap-southeast-1"
+      - key: "ap-southeast-2--- Sydney"
+        value: "ap-southeast-2"
+      - key: "ap-south-1--- Mumbai"
+        value: "ap-south-1"
+      - key: "sa-east-1--- Sao Paulo"
+        value: "sa-east-1"
   - name: aws_key_pair
     description: AWS Key Pair
     default: us-east-2-kp
     type_hint: text
-  - name: s3_bootstrap_bucket
-    description: S3 Bootstrap Bucket
-    default: unique_value
-    type_hint: text
 
 # Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
 # determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file

aws/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml

@@ -15,7 +15,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application

aws/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml

@@ -17,7 +17,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application

aws/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml

@@ -15,7 +15,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application

aws/Jenkins_proj-master/WebInDeploy/aws_vars.tf

@@ -14,9 +14,6 @@ variable "FW1_Untrust_IP" {}
 
 variable "FW1_Trust_IP" {}
 variable "FW1_mgmt_IP" {}
-
-variable "bootstrap_s3bucket" {}
-
 variable "VPCName" {}
 variable "VPCCIDR" {}
 variable "ServerKeyName" {}
@@ -52,20 +49,20 @@ variable "kali" {
   type = "map"
 
   default = {
-    "us-east-1"      = "ami-092d0d014b7b31a08"
-    "us-east-2"      = "ami-0a444079f17309e2a"
-    "us-west-1"      = "ami-03e0ff3de0548396b"
-    "us-west-2"      = "ami-07c2e617785343806"
-    "eu-west-1"      = "ami-04bbe683cac096622"
-    "eu-west-2"      = "ami-05f478183aa65246f"
-    "ap-northeast-1" = "ami-0093e807f67a5f1e7"
-    "ap-northeast-2" = "ami-06ffd66e21c3ceb62"
-    "ap-southeast-1" = "ami-0e22510ff08cbb147"
-    "ap-southeast-2" = "ami-0d4437b6104e6b9bd"
-    "eu-central-1"   = "ami-08b17dda213f62471"
-    "sa-east-1"      = "ami-05cfb15d232b8be2a"
-    "ca-central-1"   = "ami-0e4c58a6a5ae9e417"
-    "ap-south-1"     = "ami-0b13a1e1e3db28939"
+    "us-west-1"      = "ami-0a3a5bb61a81e3135"
+    "us-west-2"      = "ami-000de76905d16b042"
+    "us-east-1"      = "ami-021d9d94f93a07a43"
+    "us-east-2"      = "ami-04239d579c52de263"
+    "ca-central-1"   = "ami-00ecb370195d6a225"
+    "eu-west-1"      = "ami-09e0dc5839aa7eca9"
+    "eu-west-2"      = "ami-0629d16d9e818369f"
+    "eu-central-1"   = "ami-0d30b058bf84b0a0c"
+    "ap-east-1"      = "ami-72661d03"
+    "ap-northeast-1" = "ami-0910fb379f9c0dda9"
+    "ap-southeast-1" = "ami-0dff5e99784353c4a"
+    "ap-southeast-2" = "ami-042ed6b729919aa24"
+    "ap-south-1"     = "ami-0f382fa26248923ea"
+    "sa-east-1"      = "ami-027c2142d479531cb"
   }
 }
 
@@ -74,19 +71,19 @@ variable "UbuntuRegionMap" {
 
   #Ubuntu Server 16.04 LTS (HVM)
   default = {
-    "us-east-1"      = "ami-092d0d014b7b31a08"
-    "us-east-2"      = "ami-0a444079f17309e2a"
-    "us-west-1"      = "ami-03e0ff3de0548396b"
-    "us-west-2"      = "ami-07c2e617785343806"
-    "eu-west-1"      = "ami-04bbe683cac096622"
-    "eu-west-2"      = "ami-05f478183aa65246f"
-    "ap-northeast-1" = "ami-0093e807f67a5f1e7"
-    "ap-northeast-2" = "ami-06ffd66e21c3ceb62"
-    "ap-southeast-1" = "ami-0e22510ff08cbb147"
-    "ap-southeast-2" = "ami-0d4437b6104e6b9bd"
-    "eu-central-1"   = "ami-08b17dda213f62471"
-    "sa-east-1"      = "ami-05cfb15d232b8be2a"
-    "ca-central-1"   = "ami-0e4c58a6a5ae9e417"
-    "ap-south-1"     = "ami-0b13a1e1e3db28939"
+    "us-west-1"      = "ami-0a3a5bb61a81e3135"
+    "us-west-2"      = "ami-000de76905d16b042"
+    "us-east-1"      = "ami-021d9d94f93a07a43"
+    "us-east-2"      = "ami-04239d579c52de263"
+    "ca-central-1"   = "ami-00ecb370195d6a225"
+    "eu-west-1"      = "ami-09e0dc5839aa7eca9"
+    "eu-west-2"      = "ami-0629d16d9e818369f"
+    "eu-central-1"   = "ami-0d30b058bf84b0a0c"
+    "ap-east-1"      = "ami-72661d03"
+    "ap-northeast-1" = "ami-0910fb379f9c0dda9"
+    "ap-southeast-1" = "ami-0dff5e99784353c4a"
+    "ap-southeast-2" = "ami-042ed6b729919aa24"
+    "ap-south-1"     = "ami-0f382fa26248923ea"
+    "sa-east-1"      = "ami-027c2142d479531cb"
   }
 }

aws/Jenkins_proj-master/WebInDeploy/bootstrap.tf

@@ -1,7 +1,18 @@
 # Create a BootStrap S3 Bucket
 
+resource "random_id" "bucket_prefix" {
+  byte_length = 4
+}
+
+#data "aws_s3_bucket" "jenkins" {
+#  bucket = "bootstrap_bucket"
+
+#region = "${var.aws_region}"
+#}
+
 resource "aws_s3_bucket" "bootstrap_bucket" {
-  bucket        = "${var.bootstrap_s3bucket}"
+  #bucket_prefix = "${var.bucket_prefix}"
+  bucket        = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
   acl           = "private"
   force_destroy = true
 
@@ -10,38 +21,42 @@ resource "aws_s3_bucket" "bootstrap_bucket" {
   }
 }
 
-# Create Folders and Upload Bootstrap Files
 resource "aws_s3_bucket_object" "bootstrap_xml" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "config/bootstrap.xml"
-  source = "bootstrap/bootstrap.xml"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  acl        = "private"
+  key        = "config/bootstrap.xml"
+  source     = "bootstrap/bootstrap.xml"
 }
 
 resource "aws_s3_bucket_object" "init-cft_txt" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "config/init-cfg.txt"
-  source = "bootstrap/init-cfg.txt"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "config/init-cfg.txt"
+  source     = "bootstrap/init-cfg.txt"
 }
 
 resource "aws_s3_bucket_object" "software" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "software/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "software/"
+  source     = "/dev/null"
 }
 
 resource "aws_s3_bucket_object" "license" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "license/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "license/"
+  source     = "/dev/null"
 }
 
 resource "aws_s3_bucket_object" "content" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "content/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "content/"
+  source     = "/dev/null"
 }

aws/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml

@@ -741,13 +741,6 @@
                 </hourly>
               </recurring>
             </anti-virus>
-            <wildfire>
-              <recurring>
-                <every-min>
-                  <action>download-and-install</action>
-                </every-min>
-              </recurring>
-            </wildfire>
           </update-schedule>
         </system>
         <setting>

aws/Jenkins_proj-master/WebInDeploy/firewalls.tf

@@ -1,5 +1,17 @@
-resource "aws_iam_role" "JFFBootstrapRole" {
-  name = "JFFBootstrapRole"
+resource "random_id" "bootstraprole" {
+  byte_length = 3
+}
+
+resource "random_id" "bootstrappolicy" {
+  byte_length = 3
+}
+
+resource "random_id" "bootstrapinstanceprofile" {
+  byte_length = 3
+}
+
+resource "aws_iam_role" "jenkins-bootstraprole" {
+  name = "jenkins-bootstraprole-${random_id.bootstraprole.hex}"
 
   assume_role_policy = <<EOF
 {
@@ -17,9 +29,9 @@ resource "aws_iam_role" "JFFBootstrapRole" {
 EOF
 }
 
-resource "aws_iam_role_policy" "JFFBootstrapRolePolicy" {
-  name = "JFFBootstrapRolePolicy"
-  role = "${aws_iam_role.JFFBootstrapRole.id}"
+resource "aws_iam_role_policy" "jenkins-bootstrappolicy" {
+  name = "jenkins-bootstrappolicy${random_id.bootstrappolicy.hex}"
+  role = "${aws_iam_role.jenkins-bootstraprole.id}"
 
   policy = <<EOF
 {
@@ -28,21 +40,21 @@ resource "aws_iam_role_policy" "JFFBootstrapRolePolicy" {
     {
       "Effect": "Allow",
       "Action": "s3:ListBucket",
-      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}"
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket.bucket}"
     },
     {
     "Effect": "Allow",
     "Action": "s3:GetObject",
-    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}/*"
+    "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket.bucket}/*"
     }
   ]
 }
 EOF
 }
 
-resource "aws_iam_instance_profile" "JFFBootstrapInstanceProfile" {
-  name = "JFFBootstrapInstanceProfile"
-  role = "${aws_iam_role.JFFBootstrapRole.name}"
+resource "aws_iam_instance_profile" "jenkins-bootstrapinstanceprofile" {
+  name = "jenkins-bootstrapinstanceprofile${random_id.bootstrapinstanceprofile.hex}"
+  role = "${aws_iam_role.jenkins-bootstraprole.name}"
   path = "/"
 }
 
@@ -66,6 +78,7 @@ resource "aws_network_interface" "FW1-TRUST" {
   source_dest_check = false
   private_ips       = ["10.0.2.10"]
 }
+
 resource "aws_eip_association" "FW1-UNTRUST-Association" {
   network_interface_id = "${aws_network_interface.FW1-UNTRUST.id}"
   allocation_id        = "${aws_eip.FW1-PUB.id}"
@@ -85,7 +98,7 @@ resource "aws_instance" "PA-VM1" {
 
   disable_api_termination = false
 
-  iam_instance_profile = "${aws_iam_instance_profile.JFFBootstrapInstanceProfile.name}"
+  iam_instance_profile = "${aws_iam_instance_profile.jenkins-bootstrapinstanceprofile.name}"
   ebs_optimized        = true
   ami                  = "${var.PANFWRegionMap[var.aws_region]}"
   instance_type        = "m4.xlarge"
@@ -115,5 +128,5 @@ resource "aws_instance" "PA-VM1" {
     network_interface_id = "${aws_network_interface.FW1-TRUST.id}"
   }
 
-  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_s3bucket)))}"
+  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", "${aws_s3_bucket.bootstrap_bucket.bucket}")))}"
 }

aws/Jenkins_proj-master/WebInDeploy/kali-instance.tf

@@ -28,18 +28,10 @@ resource "aws_instance" "kali" {
 
   user_data = "${base64encode(join("", list(
       "#! /bin/bash\n",
-          "sudo su\n",
-          "apt-get update\n",
-          "apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes\n",
-          "pip3 install docker-compose\n",
-          "cd /var/tmp\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/.temp/Dockerfile\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/.temp/docker-compose.yml\n",
-          "wget https://github.com/wwce/terraform/blob/master/aws/Jenkins_proj-master/attacker/run.sh\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/attacker/auto-sploit.sh\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/exp-server.py\n",
-          "docker-compose build\n",
-          "docker-compose up -d\n"
+             "sudo cd /var/tmp\n",
+             "sudo wget -O initialize_attacker.sh https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh\n",
+             "sudo chmod 755 initialize_attacker.sh &&\n",
+             "sudo bash ./initialize_attacker.sh\n"
     )))
    }"
 }

aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  attacker:" >> docker-compose.yml
+echo "    image: pglynn/kali:latest" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"443:443\"" >> docker-compose.yml
+echo "      - \"5000:5000\"" >> docker-compose.yml
+docker-compose up -d

aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  jenkins:" >> docker-compose.yml
+echo "    image: pglynn/jenkins:latest" >> docker-compose.yml
+echo "    environment:" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"50000:50000\"" >> docker-compose.yml
+echo "      - \"8080:8080\"" >> docker-compose.yml
+docker-compose up -d