Merge pull request #297 from JD2344/web_network_security

Web network security

modules/vulnerabilities/unix/web_training/security_shepherd/manifests/install.pp

@@ -18,11 +18,22 @@ class security_shepherd::install {
   exec { 'remove-default-site':
     command => 'rm -rf /var/lib/tomcat9/webapps/*',
   }
-  -> file { '/var/lib/tomcat9/webapps/ROOT.war':
+  #-> file { '/var/lib/tomcat9/webapps/ROOT.war':
+  #  ensure => file,
+  #  source => 'puppet:///modules/security_shepherd/ROOT.war',
+  #}
+  -> file { '/tmp/ROOT.zip':
     ensure => file,
-    source => 'puppet:///modules/security_shepherd/ROOT.war',
+    source => 'puppet:///modules/security_shepherd/ROOT.zip',
   }
-  file { '/var/lib/tomcat9/conf/shepherdKeystore.p12':
+  -> file { ['/tmp/ROOT' ,'/tmp/ROOT/WEB-INF', '/tmp/ROOT/WEB-INF/classes']:
+      ensure => directory,
+  }
+  exec { 'extract ROOT':
+      cwd => '/tmp',
+      command => 'unzip ROOT.zip -d ROOT',
+  }
+  -> file { '/var/lib/tomcat9/conf/shepherdKeystore.p12':
     ensure => file,
     source => 'puppet:///modules/security_shepherd/shepherdKeystore.p12',
   }
@@ -45,14 +56,15 @@ class security_shepherd::install {
     source  => 'puppet:///modules/security_shepherd/my.cnf',
     replace => true,
   }
-
-  service { 'tomcat9':
+  -> service { 'tomcat9':
     ensure     => running,
     name       => 'tomcat9',
     enable     => true,
     hasrestart => true,
-    subscribe  => [
-      File['/var/lib/tomcat9/webapps/ROOT.war'],
-    ],
+    #subscribe  => [
+    #  File['/var/lib/tomcat9/webapps/ROOT.war'],
+    #],
   }
+  
+
 }

modules/vulnerabilities/unix/web_training/security_shepherd/manifests/mariadb.pp

@@ -36,19 +36,27 @@ class security_shepherd::mariadb {
     cwd     => '/tmp',
     command => "mysql -u ${user} -p${db_pass} < moduleSchemas.sql",
   }
-
-  file { ['/var/lib/tomcat9/webapps/ROOT', '/var/lib/tomcat9/webapps/ROOT/WEB-INF', '/var/lib/tomcat9/webapps/ROOT/WEB-INF/classes', '/var/lib/tomcat9/webapps/ROOT/WEB-INF/classes/flag-store']:
-    ensure  => directory,
-  }
-  -> file { '/var/lib/tomcat9/webapps/ROOT/WEB-INF/classes/flags':
+  
+  # /var/lib/tomcat9/webapps
+  -> file { '/tmp/ROOT/WEB-INF/classes/flags':
     ensure  => file,
+    replace => true,
+    owner => 'tomcat',
+    group => 'tomcat',
     content => template('security_shepherd/flags.erb'),
   }
-  -> file { '/var/lib/tomcat9/webapps/ROOT/WEB-INF/classes/active-modules':
+  # /var/lib/tomcat9/webapps
+  -> file { '/tmp/ROOT/WEB-INF/classes/active-modules':
     ensure  => file,
+    replace => true,
+    owner => 'tomcat',
+    group => 'tomcat',
     content => template('security_shepherd/active-modules.erb'),
-    notify  => Service['tomcat9']
   }
+  -> exec { 'jar -cvf ROOT.war *':
+      cwd => '/tmp/ROOT',
+  }
+  -> exec { 'mv /tmp/ROOT/ROOT.war /var/lib/tomcat9/webapps':}
   # This needs updating? Weird chicanery happens if not used this way
   exec { 'restart-tom':
     command => 'systemctl restart tomcat9',

modules/vulnerabilities/unix/web_training/security_shepherd/templates/coreSchema.sql.erb

@@ -1741,7 +1741,7 @@ CALL cheatSheetCreate('08b3dffd4b837ebe53d52e53b5bbbabf4a4ca9ae', '08b3dffd4b837
 COMMIT;
 
 -- Add a secgen class
---call classCreate('secgen1', '2023');
+--call classCreate('secgen1', 'wns');
 
 -- Default admin user
 -- Use password shepherd-admin

scenarios/labs/web_security/1_intro_web_security.xml

@@ -7,7 +7,8 @@
     <name>Introducing Web security</name>
     <author>James Davis</author>
     <description>Web and Network Security - Introducing Web security</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1vLy56U53lqb8ZpQVLwxznCBsGv0KPM_uXJW1WD5DCiI/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1vLy56U53lqb8ZpQVLwxznCBsGv0KPM_uXJW1WD5DCiI/edit?usp=sharing</lab_sheet_url>
 
     <type>ctf-lab</type>
     <type>lab-sheet</type>
@@ -52,7 +53,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>1</value>
                     </input>

scenarios/labs/web_security/2_sessions_and_cookies.xml

@@ -7,7 +7,8 @@
     <name>Session Management</name>
     <author>James Davis</author>
     <description>Web and Network Security - Session Management</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1xcbf0bqtdMGgJAjeedw5MUbkRosMyQ_UZ0gN4IeCBFs/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1xcbf0bqtdMGgJAjeedw5MUbkRosMyQ_UZ0gN4IeCBFs/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -51,7 +52,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>10</value>
                     </input>

scenarios/labs/web_security/3_xss.xml

@@ -7,7 +7,8 @@
     <name>Cross-Site Scripting</name>
     <author>James Davis</author>
     <description>Web and Network Security - Cross-Site Scripting</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1f7hD_sZnBChklLZmskpxp1dIJUG9Ntw_06t76ltnPTk/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1f7hD_sZnBChklLZmskpxp1dIJUG9Ntw_06t76ltnPTk/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -51,7 +52,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>6</value>
                     </input>

scenarios/labs/web_security/4_sqli.xml

@@ -7,7 +7,8 @@
     <name>SQL injection</name>
     <author>James Davis</author>
     <description>Web and Network Security - SQL</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1G_b4f25ufopbDw6djpO1D-nhbJ7vFOCY-QZJtoTUSKg/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1G_b4f25ufopbDw6djpO1D-nhbJ7vFOCY-QZJtoTUSKg/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -51,7 +52,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>11</value>
                     </input>

scenarios/labs/web_security/5_sqli_advanced.xml

@@ -7,7 +7,8 @@
     <name>WNS Intro</name>
     <author>James Davis</author>
     <description>Web and Network Security - Advanced Injection</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1tj7qQ-1HbmxXaZNMOCPVECHrFAHpkRVcD_Q0FvMhIWQ/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1tj7qQ-1HbmxXaZNMOCPVECHrFAHpkRVcD_Q0FvMhIWQ/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -51,7 +52,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>4</value>
                     </input>

scenarios/labs/web_security/6_csrf.xml

@@ -7,7 +7,8 @@
     <name>Cross-Site Request Forgery</name>
     <author>James Davis</author>
     <description>Web and Network Security - Cross-Site Request Forgery</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1ABryiNKLDiIG6i7PQUztzzynjPo3fRSBP4OakxCPraY/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1ABryiNKLDiIG6i7PQUztzzynjPo3fRSBP4OakxCPraY/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -51,7 +52,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>8</value>
                     </input>

scenarios/labs/web_security/7_additional_web.xml

@@ -7,7 +7,8 @@
     <name>Additional Web Challenges</name>
     <author>James Davis</author>
     <description>Web and Network Security - Packet analysis, firewalls and VPNs</description>
-    <lab_sheet_url>https://docs.google.com/document/d/1DDjyBGtB9vaFD6S2s1jQn7_bpVn4UlK-njbmVX5_UiM/edit?usp=sharing</lab_sheet_url>
+    <lab_sheet_url>
+        https://docs.google.com/document/d/1DDjyBGtB9vaFD6S2s1jQn7_bpVn4UlK-njbmVX5_UiM/edit?usp=sharing</lab_sheet_url>
 
     <type>lab-environment</type>
     <type>ctf-lab</type>
@@ -44,7 +45,7 @@
                 <value>shepherd</value>
             </input>
             <input into="flag_store" into_datastore="flag_store">
-                <generator type="flag_generator">
+                <generator type="flag_generator" module_path=".*base64">
                     <input into="iterations">
                         <value>4</value>
                     </input>