From 4a2b743a08af5855fefe02e9034b3cb6885a3ef9 Mon Sep 17 00:00:00 2001 From: Tanishq Rupaal Date: Tue, 10 Dec 2024 22:19:32 -0500 Subject: [PATCH] add docs --- README.md | 115 +++++++++++++++++------- docs/advanced/build.md | 156 +++++++++++++++++++++++++++++++++ docs/advanced/shortcuts.md | 163 +++++++++++++++++++++++++++++++++++ docs/advanced/ssh-tmux.md | 161 ++++++++++++++++++++++++++++++++++ docs/home/contributing.md | 113 ++++++++++++++++++++++++ docs/home/conventions.md | 84 ++++++++++++++++++ docs/home/getting-started.md | 106 ++++++++++++++++++++++- docs/home/index.md | 40 ++++++++- docs/tools/cloud-tools.md | 111 ++++++++++++++++++++++++ docs/tools/dev-tools.md | 1 + docs/tools/general-tools.md | 101 ++++++++++++++++++++++ docs/tools/netsec-tools.md | 1 + docs/tools/rice-tools.md | 119 +++++++++++++++++++++++++ docs/variants/cloud.md | 28 ++++++ docs/variants/dev.md | 21 +++++ docs/variants/general.md | 33 ++++++- docs/variants/index.md | 15 +++- docs/variants/netsec.md | 21 +++++ docs/variants/rice.md | 29 ++++++- mkdocs.yml | 5 +- scripts/cloud-builder.sh | 5 ++ 21 files changed, 1385 insertions(+), 43 deletions(-) create mode 100644 docs/advanced/build.md create mode 100644 docs/advanced/shortcuts.md create mode 100644 docs/advanced/ssh-tmux.md create mode 100644 docs/home/contributing.md create mode 100644 docs/home/conventions.md create mode 100644 docs/tools/cloud-tools.md create mode 100644 docs/tools/dev-tools.md create mode 100644 docs/tools/netsec-tools.md create mode 100644 docs/tools/rice-tools.md create mode 100644 docs/variants/cloud.md create mode 100644 docs/variants/dev.md create mode 100644 docs/variants/netsec.md create mode 100644 scripts/cloud-builder.sh diff --git a/README.md b/README.md index cfc2d14..eb0590f 100644 --- a/README.md +++ b/README.md @@ -1,56 +1,105 @@


- DISecT -
Containerized Security Toolkit (CST)
+ CST +
+ Containerized Security Toolkit (CST) +

- Companion Blog • - Docker Hub

- Release Build -
- (ARM builds through CCI until ARM GHA runners are available) + + + + + + + + + +
+ Documentation • + Docker Hub

-
+

A comprehensive suite of containerized security toolkits for various security operations

-This project contains two Dockerfiles for a multi-stage image build that results in an ARM (useful for Apple Silicon Macs) or x86_64 variants of a security focused docker image → +

+ Build Status:
+ General: + + General Build + + + General ARM Build + +
+ Cloud: + + Cloud Build + + + Cloud ARM Build + +
+ Rice: + + Rice Build + + + Rice ARM Build + +

-- **Security Image for x86_64** -- **Security Image for ARM64** +## Overview -The image is built automatically on via CI/CD pipelines and pushed to Docker Hub. The image is called `sec_docker` and it presents multiple tags → +The Containerized Security Toolkit (CST) provides a comprehensive suite of Docker images tailored for various security operations. Each variant is designed for specific use cases while maintaining consistency in basic functionality: -| | x86\_64 | ARM | -| --- | --- | --- | -| tag | `main` | `main_apple` | -| image ref | `tanq16/sec_docker:main` | `tanq16/sec_docker:main_apple` | +- **General** (`tanq16/cst-general:*`): Core security tools and utilities for general security operations +- **Cloud** (`tanq16/cst-cloud:*`): Specialized for cloud security assessments and operations +- **Dev** (`tanq16/cst-dev:*`): Development environment with security tools (Python, Go, Node.js) - WIP +- **Netsec** (`tanq16/cst-netsec:*`): Network security assessment and monitoring tools - WIP +- **Rice** (`tanq16/cst-rice:*`): Enhanced version of General with [CLI Productivity Suite](https://github.com/Tanq16/cli-productivity-suite) -It has the [cli-productivity-suite](https://github.com/tanq16/cli-productivity-suite) preinstalled within the image. The [companion blog post](https://tanishq.page/blog/posts/cst-guide/) goes over using the pre-built image, building it with modifications, conventions considered when creating the Dockerfiles, and different ways it can be used. +Each variant is available for both x86_64 and ARM64 architectures: ---- +``` +tanq16/cst-:amd # For x86_64 systems +tanq16/cst-:arm # For ARM64 systems (Apple Silicon, etc.) +``` + +## Quickstart -For a quick look into the container and its capabilities, built from this image, is as follows → +Get started with the General variant in seconds: ```bash -docker run --name="sec_docker_quickstart" --rm -it tanq16/sec_docker:main /bin/zsh +# Create persistence directory +mkdir -p $HOME/docker_work/ + +# Run container (use general-arm for ARM64 systems) +docker run --name="cst_general" \ + -v $HOME/docker_work/:/persist \ + --rm -it tanq16/cst-general:amd \ + /bin/bash ``` -It is also recommended to run the following command (replace with your timezone in second line) after getting into the container → +For advanced usage patterns, variant-specific guides, and comprehensive documentation: +- 📚 [Full Documentation](https://tanishq.page/containerized-security-toolkit) +- 🚀 [Advanced Workflows](https://tanishq.page/containerized-security-toolkit/advanced/workflows) +- 🔧 [Tool Lists](https://tanishq.page/containerized-security-toolkit/tools/general-tools) -```bash -export TERM=xterm-256color && \ -echo "America/Chicago" > /etc/timezone && rm -rf /etc/localtime && \ -ln -s "/usr/share/zoneinfo/$(cat /etc/timezone)" /etc/localtime -``` +## Key Features + +- 🔄 **Persistent Storage**: Mount local directories for data persistence +- 🔒 **Secure Design**: Regular security updates and best practices +- 🎯 **Purpose-Built**: Each variant optimized for specific security tasks +- 🔧 **Rich Tooling**: Comprehensive set of pre-installed security tools +- 📦 **Consistent Environment**: Reproducible setup across systems +- 🖥️ **Cross-Platform**: Full support for both x86_64 and ARM64 -If you exit the shell, the container will be destroyed along with the information in the ephemeral filesystem. I recommend reading the [companion blog post](https://tanishq.page/blog/posts/cst-guide/) for a better workflow +## Contributing -There are several other nuances related to running the container, such as → +Check out [contribution guidelines](https://tanishq.page/containerized-security-toolkit/home/contributing) for details on how to submit changes. -- setting up a persistence diretcory across container restarts -- using one-word shell functions to start and stop containers with customized settings -- connecting to the container via SSH -- dynamic port-forwarding over SSH to access container-local services +## License -All of the above nuances are comprehensively explained in the [companion blog post](https://tanishq.page/blog/posts/cst-guide/), especially the *Example Workflow* section. +This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. diff --git a/docs/advanced/build.md b/docs/advanced/build.md new file mode 100644 index 0000000..8c73e91 --- /dev/null +++ b/docs/advanced/build.md @@ -0,0 +1,156 @@ +# DIY Build Guide + +The CST images can be customized and built locally. This guide explains the build process and customization options. + +## Basic Build Process + +CST uses a multi-stage build process for efficient image creation: + +1. **Builder Stage** + ```dockerfile + FROM ubuntu:jammy AS executable_builder + # Tool compilation and binary creation + ``` + +2. **Final Stage** + ```dockerfile + FROM ubuntu:jammy + # System setup and tool installation + ``` + +### Building Images + +Basic build commands: + +```bash +# Change to variant directory +cd images/ + +# Build intermediate layer +docker build -f builder.Dockerfile -t intermediate_builder . + +# Build final image +docker build -t cst-:local . + +# Clean up +docker builder prune -f +``` + +## Customization Options + +### Adding New Tools + +1. **Builder Stage Modifications** + ```dockerfile + # In builder.Dockerfile + RUN go install github.com/your/tool@latest && \ + mv /go/bin/tool /executables/ + ``` + +2. **Final Stage Additions** + ```dockerfile + # In Dockerfile + RUN apt-get update && apt-get install -y \ + your-additional-package + + # Add custom scripts + COPY ./scripts/custom.sh /opt/scripts/ + ``` + +### Creating New Variants + +1. Create new variant directory: + ```bash + mkdir -p images/custom + cp images/general/* images/custom/ + ``` + +2. Modify Dockerfiles for specific needs: + ```dockerfile + # Add specialized tools + RUN apt-get update && apt-get install -y \ + specialized-package + + # Add custom configurations + COPY configs/ /etc/custom/ + ``` + +## Advanced Building + +### Cross-Platform Builds + +Building for multiple architectures: + +```bash +# Setup buildx +docker buildx create --use + +# Build multi-platform image +docker buildx build \ + --platform linux/amd64,linux/arm64 \ + -t username/cst-custom:latest . +``` + +### Optimization Techniques + +1. **Layer Optimization** + ```dockerfile + # Combine related operations + RUN apt-get update && \ + apt-get install -y \ + package1 \ + package2 && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + ``` + +2. **Size Reduction** + ```dockerfile + # Use multi-stage builds + FROM build-image AS builder + # Build tools + + FROM runtime-image + # Copy only necessary files + COPY --from=builder /app/binary /usr/local/bin/ + ``` + +## Testing Builds + +1. **Basic Testing** + ```bash + # Build test image + docker build -t cst-test . + + # Run basic tests + docker run --rm cst-test which tool1 tool2 tool3 + ``` + +2. **Feature Testing** + ```bash + # Test specific features + docker run --rm cst-test \ + bash -c "tool --version && tool --help" + ``` + +## Best Practices + +1. **Version Control** + - Tag images with version numbers + - Document changes in changelog + - Use semantic versioning + +2. **Documentation** + - Update tool lists + - Document new features + - Include usage examples + +3. **Security** + - Scan images for vulnerabilities + - Update base images regularly + - Follow security best practices + +4. **Maintenance** + - Regular dependency updates + - Version compatibility checks + - Performance optimization diff --git a/docs/advanced/shortcuts.md b/docs/advanced/shortcuts.md new file mode 100644 index 0000000..64e8a59 --- /dev/null +++ b/docs/advanced/shortcuts.md @@ -0,0 +1,163 @@ +# Shell Shortcuts and Functions + +The CST environment can be enhanced with shell functions that streamline container management and daily operations. These functions provide a seamless workflow for starting, accessing, and managing CST containers. + +## Core Container Management + +The following shell functions handle container lifecycle management. Add these to your shell's RC file (`.bashrc`, `.zshrc`, etc.): + +```bash +start_cst() { + # First argument is the variant name, defaulting to 'general' + variant=${1:-general} + arch=$(uname -m | grep -q "aarch64" && echo "arm" || echo "amd") + + # Run container with SSH enabled and history persistence + docker run --name="cst_${variant}" --rm -d \ + -v $HOME/docker_work/:/persist \ + -p 50022:22 ${@:2} \ + -it tanq16/cst-${variant}:${arch} \ + bash -c "service ssh start; cp /persist/.bash_history /root/.bash_history 2>/dev/null; tail -f /dev/null" + + # Generate and set SSH password + new_pass=$(cat /dev/random | head -c 20 | base64 | tr -d '=+/') + echo "Password: $new_pass" + echo $new_pass > current_docker_password + docker exec -e newpp="$new_pass" cst_${variant} bash -c 'echo "root:$(printenv newpp)" | chpasswd' +} + +stop_cst() { + # Gracefully stop container and preserve history + variant=${1:-general} + docker cp cst_${variant}:/root/.bash_history $HOME/docker_work/.bash_history 2>/dev/null + docker stop cst_${variant} -t 0 +} +``` + +These functions provide: +- Automatic architecture detection (ARM/AMD) +- Command history persistence +- SSH access with random password generation +- Flexible port mapping +- Volume mounting for persistence + +## Enhanced Access Functions + +Additional functions can improve container access and management: + +```bash +connect_cst() { + # Direct shell access to running container + variant=${1:-general} + docker exec -it cst_${variant} /bin/bash +} + +ssh_cst() { + # SSH into container with dynamic port forwarding + variant=${1:-general} + ssh -o "StrictHostKeyChecking=no" \ + -o "UserKnownHostsFile=/dev/null" \ + -D 65500 \ + root@localhost -p 50022 +} + +port_cst() { + # Add port mapping to running container + variant=${1:-general} + host_port=$2 + container_port=$3 + docker exec cst_${variant} \ + iptables -t nat -A DOCKER -p tcp --dport $container_port -j DNAT --to-destination :$host_port +} +``` + +## Usage Examples + +Starting a Cloud variant container with extra port mapping: + +```bash +start_cst cloud -p 50080:80 -p 50443:443 +``` + +Accessing the container via SSH with dynamic port forwarding: + +```bash +ssh_cst cloud +``` + +Adding port mapping to a running container: + +```bash +port_cst general 8080 80 +``` + +## Advanced Configuration Tips + +### Persistent Configurations + +Create a `.cst_config` file in your home directory: + +```bash +# ~/.cst_config +CST_PERSIST_DIR="$HOME/docker_work" +CST_DEFAULT_PORTS="-p 50080:80 -p 50443:443" +CST_EXTRA_MOUNTS="-v $HOME/.aws:/root/.aws" + +# Source this in your shell RC file +if [ -f ~/.cst_config ]; then + source ~/.cst_config +fi +``` + +### Shell Function Enhancements + +Extended start function with configurations: + +```bash +start_cst_enhanced() { + variant=${1:-general} + docker run --name="cst_${variant}" --rm -d \ + -v "${CST_PERSIST_DIR:-$HOME/docker_work}":/persist \ + -p 50022:22 \ + ${CST_DEFAULT_PORTS} \ + ${CST_EXTRA_MOUNTS} \ + ${@:2} \ + -it tanq16/cst-${variant}:${arch} \ + bash -c "service ssh start && tail -f /dev/null" +} +``` + +## Best Practices + +1. **Resource Management** + Create cleanup functions for maintenance: + ```bash + cleanup_cst() { + docker ps -a | grep 'cst_' | awk '{print $1}' | xargs docker stop + docker container prune -f + } + ``` + +2. **Development Workflow** + Mount development directories: + ```bash + start_cst dev \ + -v ~/projects:/persist/projects \ + -v ~/.gitconfig:/root/.gitconfig + ``` + +3. **Network Security** + Use SSH dynamic port forwarding for securely accessing container-internal services: + ```bash + ssh -D 65500 root@localhost -p 50022 + ``` + +4. **Data Persistence** + Structure your persistent storage: + ``` + docker_work/ + ├── projects/ + ├── .aws/ + ├── .bash_history + └── configs/ + ``` diff --git a/docs/advanced/ssh-tmux.md b/docs/advanced/ssh-tmux.md new file mode 100644 index 0000000..377756e --- /dev/null +++ b/docs/advanced/ssh-tmux.md @@ -0,0 +1,161 @@ +# SSH and TMUX Advanced Usage + +SSH and TMUX integration in CST provides a powerful environment for remote work and session management. This guide covers advanced usage patterns and configurations. + +## SSH Configuration + +### Dynamic Port Forwarding + +SSH dynamic port forwarding creates a SOCKS proxy for flexible access to container services: + +```bash +ssh -D 65500 root@localhost -p 50022 +``` + +This enables: +- Browser proxy configuration +- Tool traffic routing +- Service access through proxy + +### Advanced SSH Configuration + +Create a dedicated SSH config for CST connections: + +```bash +# ~/.ssh/config +Host cst-* + User root + Port 50022 + HostName localhost + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + DynamicForward 65500 +``` + +Usage becomes as simple as: + +```bash +ssh cst-general +``` + +## TMUX Advanced Usage + +### Session Management + +CST's TMUX configuration provides enhanced session management: + +1. **Named Sessions** + ```bash + # Create new named session + tmux new -s security + + # Attach to existing session + tmux attach -t security + ``` + +2. **Workspace Organization** + ```bash + # Create development workspace + tmux new -s dev -n 'code' \; \ + send-keys 'cd /persist/projects' C-m \; \ + split-window -h \; \ + send-keys 'htop' C-m \; \ + new-window -n 'logs' \; \ + send-keys 'tail -f /var/log/auth.log' C-m + ``` + +### Custom Configurations + +The Rice variant includes an enhanced TMUX configuration. Create custom layouts: + +```bash +# ~/.tmux.conf +# Security assessment layout +bind S source-file ~/.tmux/layouts/security + +# ~/.tmux/layouts/security +split-window -v +select-pane -t 1 +split-window -h +select-pane -t 0 +send-keys 'nmap -v' C-m +select-pane -t 1 +send-keys 'tail -f /var/log/auth.log' C-m +select-pane -t 2 +send-keys 'htop' C-m +``` + +## Integration Patterns + +### SSH + TMUX Workflow + +1. **Persistent Sessions** + ```bash + # Start container + start_cst rice + + # Connect and create session + ssh cst-rice -t tmux new -s work + ``` + +2. **Session Sharing** + ```bash + # Allow multiple clients + tmux set-option -g allow-clients + + # Connect additional shell + ssh cst-rice -t tmux attach -t work + ``` + +### Advanced Use Cases + +1. **Development Environment** + ```bash + tmux new-session -s dev \; \ + send-keys 'cd /persist/projects' C-m \; \ + split-window -h \; \ + send-keys 'docker stats' C-m \; \ + split-window -v \; \ + send-keys 'tail -f logs/*.log' C-m + ``` + +2. **Monitoring Setup** + ```bash + tmux new-session -s monitor \; \ + send-keys 'htop' C-m \; \ + split-window -h \; \ + send-keys 'watch docker ps' C-m \; \ + split-window -v \; \ + send-keys 'tail -f /var/log/*' C-m + ``` + +## Best Practices + +1. **Session Naming** + Use consistent naming conventions: + - `dev-*` for development sessions + - `sec-*` for security assessment + - `mon-*` for monitoring + +2. **Window Management** + Organize windows by function: + - Main workspace window + - Monitoring window + - Log window + - Tool-specific windows + +3. **Pane Layout** + Design efficient layouts: + - Command input at top + - Logs at bottom + - Monitoring on side + - Status in corner + +4. **Key Bindings** + Configure task-specific bindings: + ```bash + # ~/.tmux.conf + bind-key M-s source-file ~/.tmux/layouts/security + bind-key M-d source-file ~/.tmux/layouts/development + bind-key M-m source-file ~/.tmux/layouts/monitoring + ``` diff --git a/docs/home/contributing.md b/docs/home/contributing.md new file mode 100644 index 0000000..92adcb1 --- /dev/null +++ b/docs/home/contributing.md @@ -0,0 +1,113 @@ +# Contributing to CST + +Thank you for your interest in contributing to the Containerized Security Toolkit! This document provides guidelines for contributing to the project. + +## Getting Started + +1. Fork the repository +2. Clone your fork: + ```bash + git clone https://github.com/YOUR-USERNAME/containerized-security-toolkit + ``` +3. Create a new branch: + ```bash + git checkout -b feature/your-feature-name + ``` + +## Development Environment + +1. Install prerequisites: + - Docker + - Docker Buildx (if working cross-platform) + +2. Install documentation dependencies: + ```bash + pip install mkdocs-material + ``` + +## Building Images + +To build images locally: + +```bash +# For x86_64 or ARM64 systems +cd images/$VARIANT +docker build -f builder.Dockerfile -t intermediate_builder . +docker build -t cst-:local . +``` + +To build ARM64 on x86_64 systems, use: + +```bash +# For ARM64 on x86_64 systems +docker buildx build --platform linux/arm64 -f builder.Dockerfile -t intermediate_builder . +docker buildx build --platform linux/arm64 -t cst-:local . +``` + +## Project Structure + +``` +. +├── docs/ # Documentation +├── images/ # Dockerfile for each variant +│ ├── general/ +│ ├── cloud/ +│ ├── dev/ +│ ├── netsec/ +│ └── rice/ +└── scripts/ # Build and utility scripts +``` + +## Coding Guidelines + +1. **Dockerfiles** + - Use multi-stage builds + - Group related installations + - Document non-obvious commands + - Follow best practices for size optimization + +2. **Documentation** + - Use clear, concise language + - Prefer short and bulleted information + - Keep formatting consistent + - Update relevant sections + +3. **Scripts** + - Include shebang line + - Add usage comments + - Make scripts portable + - Include error handling + +## Pull Request Process + +1. Update documentation for new features +2. Ensure all tests pass +3. Create succint PR description +4. Link relevant issues (if any) + +## Testing + +Before submitting a PR: + +1. Build images locally +2. Test basic functionality +3. Verify installed tools work +4. Verify documentation changes + +## Documentation + +When adding or modifying features: + +1. Update relevant documentation +2. Add examples if appropriate +3. Document any breaking changes + +## Questions? + +- Open an issue for discussion +- Contact maintainers +- Check existing documentation + +## License + +By contributing, you agree that your contributions will be licensed under the MIT License. diff --git a/docs/home/conventions.md b/docs/home/conventions.md new file mode 100644 index 0000000..a23b308 --- /dev/null +++ b/docs/home/conventions.md @@ -0,0 +1,84 @@ +# CST Conventions + +This document outlines the standard conventions used across all CST variants. + +## Directory Structure + +``` +/ +├── opt/ +│ ├── executables/ # Binary tools and utilities +│ ├── tools/ # Tool-specific directories +│ └── pyenv/ # Python virtual environment +├── persist/ # Mount point for persistent storage +└── root/ # User home directory +``` + +## Port Mapping Conventions + +When exposing ports from the container, follow these conventions: + +- SSH: `50022` (host) → `22` (container) +- HTTP: `50080` (host) → `80` (container) +- HTTPS: `50443` (host) → `443` (container) +- Dynamic Ports: Start at `50000` + original port + +## Environment Variables + +Standard environment details used across variants: + +- `TERM=xterm-256color` (set this manually if not the case on launch) +- Python environment at `/opt/pyenv/` +- `PATH` includes `/opt/executables` + +## Tool Installation Locations + +- Binary tools: `/opt/executables/` +- Python packages: `/opt/pyenv/` +- Binaries: `/usr/bin/` & `/usr/local/bin/` + +## Persistent Storage + +- Mount point: `/persist/` +- Recommended host location: `$HOME/docker_work/` +- Used for: + - Project files + - Configuration files + - Shell history + - Tool configurations + +## SSH Configuration + +- Root login enabled for convenience +- Password authentication enabled +- Dynamic port forwarding supported +- Custom port (`50022`) to avoid conflicts + +## Best Practices + +1. **Data Persistence** + - Store important data in `/persist/` + - Use version control for project files + - Back up configurations regularly + +2. **Resource Management** + - Clean up unused containers + - Prune Docker images periodically + - Monitor disk space usage + +3. **Security** + - Change SSH password for every run + - Use SSH keys when possible + - Keep host directory permissions restrictive + +4. **Workflow** + - Use shell functions for container management + - Maintain separate instances for different projects + - Document custom configurations + +## Version Control + +- Image versions only represent build time +- Tools are always installed to their latest versions, unless necessary for error fixes +- Base image: Ubuntu Jammy (22.04 LTS) +- Updates follow semantic versioning diff --git a/docs/home/getting-started.md b/docs/home/getting-started.md index 00d7bdd..3f73e9f 100644 --- a/docs/home/getting-started.md +++ b/docs/home/getting-started.md @@ -1 +1,105 @@ -WIP +# Getting Started with CST + +This guide will help you get up and running with the Containerized Security Toolkit. + +## Prerequisites + +- Docker installed and running on your system +- Basic familiarity with Docker commands +- At least 10GB of free disk space (varies by variant) + +## Basic Setup + +1. Create a persistence directory: + +```bash +mkdir -p $HOME/docker_work/ +``` + +2. Choose your variant and architecture: + +```bash +# For x86_64 systems +docker pull tanq16/cst-general:amd + +# For ARM64 systems (Apple Silicon, etc.) +docker pull tanq16/cst-general:arm +``` + +3. Run the container: + +```bash +docker run --name="cst-general" \ + -v $HOME/docker_work/:/persist \ + --rm -it tanq16/cst-general:amd \ + /bin/bash +``` + +## Advanced Setup + +### Shell Functions for Convenience + +Add these functions to your shell's RC file (`.bashrc`, `.zshrc`, etc.): + +```bash +# Start Container +start_cst(){ + variant=${1:-general} + docker run --name="cst-${variant}" --rm -d \ + -v $HOME/docker_work/:/persist \ + -p 50022:22 ${@:2} \ + -it tanq16/cst-${variant}:amd \ + bash -c "service ssh start; cp /persist/.bash_history /root/.bash_history 2>/dev/null; tail -f /dev/null" + + new_pass=$(cat /dev/random | head -c 20 | base64 | tr -d '=+/') + echo "Password: $new_pass" + echo $new_pass > current_docker_password + docker exec -e newpp="$new_pass" cst-${variant} bash -c 'echo "root:$(printenv newpp)" | chpasswd' +} + +# Stop Container +stop_cst(){ + variant=${1:-general} + docker cp cst-${variant}:/root/.bash_history $HOME/docker_work/.bash_history 2>/dev/null + docker stop cst-${variant} -t 0 +} +``` + +### Using SSH for Access + +With the above functions in place: + +1. Start container: + +```bash +start_cst general +``` + +2. SSH into container: + +```bash +ssh -o "StrictHostKeyChecking=no" \ + -o "UserKnownHostsFile=/dev/null" \ + root@localhost -p 50022 +``` + +3. When done, stop container: + +```bash +stop_cst general +``` + +## Persistence + +The `/persist` directory in the container maps to `$HOME/docker_work/` on your host system. Use this directory for: + +- Project files +- Configuration files +- Data that needs to persist between container restarts +- Shell history files + +## Next Steps + +- Check the [Variant-Specific Guides](../variants/index.md) for your chosen variant +- Review [Conventions](conventions.md) for best practices +- Explore [Advanced Usage](../advanced/shortcuts.md) for more features diff --git a/docs/home/index.md b/docs/home/index.md index 6d3f665..e82354e 100644 --- a/docs/home/index.md +++ b/docs/home/index.md @@ -1 +1,39 @@ -WIP \ No newline at end of file +

+ CST +

+ +# Containerized Security Toolkit + +The Containerized Security Toolkit (CST) provides a comprehensive suite of Docker images tailored for various security operations. Each variant is designed for specific use cases while maintaining consistency in basic functionality. + +For getting started quickly, visit the [Getting Started Guide](getting-started.md). + +## Available Variants + +- **General**: Core security tools and utilities for general security operations +- **Cloud**: Specialized for cloud security assessments and operations +- **Dev**: Development environment with security tools (Python, Go, Node.js) - WIP +- **Netsec**: Network security assessment and monitoring tools - WIP +- **Rice**: Enhanced version of General with CLI Productivity Suite + +Each variant is available for both x86_64 and ARM64 architectures: + +``` +tanq16/cst-:amd # For x86_64 systems +tanq16/cst-:arm # For ARM64 systems (Apple Silicon, etc.) +``` + +## Key Features + +- **Persistent Storage**: Mount local directories for data persistence +- **Secure Design**: Regular security updates and best practices +- **Purpose-Built**: Each variant optimized for specific security tasks +- **Rich Tooling**: Comprehensive set of pre-installed security tools +- **Consistent Environment**: Reproducible setup across systems +- **Cross-Platform**: Full support for both x86_64 and ARM64 + +## Quick Reference + +- **Documentation**: [https://tanishq.page/containerized-security-toolkit](https://tanishq.page/containerized-security-toolkit) +- **Docker Hub**: [https://hub.docker.com/r/tanq16/cst](https://hub.docker.com/r/tanq16/cst) +- **Source Code**: [https://github.com/tanq16/containerized-security-toolkit](https://github.com/tanq16/containerized-security-toolkit) diff --git a/docs/tools/cloud-tools.md b/docs/tools/cloud-tools.md new file mode 100644 index 0000000..f68ac79 --- /dev/null +++ b/docs/tools/cloud-tools.md @@ -0,0 +1,111 @@ +# Cloud Variant Tools + +The Cloud variant extends the General variant with specialized tools for cloud security assessment and operations. It includes tools for major cloud providers and cloud-native technologies. + +## Cloud Provider Tools + +### Multi-Cloud Tools + +- **CloudFox**: Cloud security assessment tool + - Location: `/opt/executables/cloudfox` + - Usage: Cloud service enumeration and security assessment + +- **CloudList**: Cloud asset enumeration + - Location: `/opt/executables/cloudlist` + - Usage: Multi-cloud asset discovery + +### AWS Tools + +- **AWS CLI v2**: Official AWS command line interface + - Location: System PATH + - Usage: AWS service interaction and management + +- **Prowler**: AWS security assessment tool + - Location: Python environment + - Usage: AWS security best practice assessment + +### Azure Tools + +- **Azure CLI**: Official Azure command line interface + - Location: System PATH + - Usage: Azure service management and interaction + +- **AzureHound**: Azure security assessment tool + - Location: `/opt/executables/azurehound` + - Usage: Azure AD privilege escalation paths + +### GCP Tools + +- **Google Cloud SDK**: Official GCP command line tools + - Location: `/root/google-cloud-sdk/` + - Usage: GCP service interaction and management + +## Container Security Tools + +- **Trivy**: Container vulnerability scanner + - Location: `/opt/executables/trivy` + - Usage: Container and filesystem vulnerability scanning + +- **Peirates**: Kubernetes penetration testing tool + - Location: `/opt/executables/peirates` + - Usage: Kubernetes security assessment + +## Infrastructure as Code Security + +- **Terraform**: Infrastructure as code tool + - Location: `/opt/executables/terraform` + - Usage: Infrastructure deployment and assessment + +- **Checkov**: IaC security scanner + - Location: Python environment + - Usage: Infrastructure as Code security scanning + +## Security Assessment Tools + +### Reconnaissance + +- Same tools as General variant: + - Subfinder + - HTTPx + - DNSx + - Nuclei + +### Web Security + +- Standard web testing tools from General variant: + - FFuf + - Gobuster + - Hakrawler + +## Python Security Tools + +Located in Python virtual environment at `/opt/pyenv/`: +- **ScoutSuite**: Multi-cloud security auditing tool + - Usage: `/opt/ScoutSuite/scout.py` + - Purpose: Cloud security posture assessment + +- **PMapper**: AWS IAM evaluation tool + - Usage: `/opt/PMapper/pmapper.py` + - Purpose: AWS IAM analysis + +- **KubiScan**: Kubernetes security scanning tool + - Usage: `/opt/KubiScan/KubiScan.py` + - Purpose: Kubernetes security assessment + +## Additional Resources + +- Kubernetes tools: + - `kubectl`: Kubernetes CLI + - `kube-hunter`: Kubernetes penetration testing + - `kubeaudit`: Kubernetes security auditing + +- GCP security tools: + - GCP IAM Privilege Escalation scanner + - GCP security assessment tools + +## Development Environment + +Includes standard development tools: +- Python 3 with specialized libraries +- Go language environment +- PowerShell Core diff --git a/docs/tools/dev-tools.md b/docs/tools/dev-tools.md new file mode 100644 index 0000000..85e6ff1 --- /dev/null +++ b/docs/tools/dev-tools.md @@ -0,0 +1 @@ +# WIP diff --git a/docs/tools/general-tools.md b/docs/tools/general-tools.md index e69de29..1cd7942 100644 --- a/docs/tools/general-tools.md +++ b/docs/tools/general-tools.md @@ -0,0 +1,101 @@ +# General Variant Tools + +The General variant provides a comprehensive set of security and utility tools. Each tool is installed in a specific location and serves a particular purpose in security operations. + +## Core System Tools + +The base system includes essential utilities installed via apt: +- `curl`, `wget`: Network data transfer +- `git`: Version control +- `tmux`: Terminal multiplexer +- `openssl`: Cryptographic toolkit +- `openssh-server`: SSH connectivity +- `openvpn`: VPN client +- Network utilities: `ping`, `telnet`, `traceroute`, `ftp` +- Development tools: `gcc`, `make`, `python3`, `nodejs`, `npm` + +## Security Assessment Tools + +### Web Application Security + +- **Gobuster**: Directory/file enumeration tool + - Location: `/opt/executables/gobuster` + - Usage: Web application directory brute forcing + +- **FFuf**: Web fuzzer + - Location: `/opt/executables/ffuf` + - Usage: Web fuzzing, directory discovery, parameter fuzzing + +- **Hakrawler**: Web crawler + - Location: `/opt/executables/hakrawler` + - Usage: Web crawling and asset discovery + +### Network Security + +- **Fingerprintx**: Service identification tool + - Location: `/opt/executables/fingerprintx` + - Usage: Service and version detection + +- **Nuclei**: Vulnerability scanner + - Location: `/opt/executables/nuclei` + - Usage: Automated vulnerability scanning + +- **Subfinder**: Subdomain discovery tool + - Location: `/opt/executables/subfinder` + - Usage: Subdomain enumeration + +### Infrastructure Security + +- **Trivy**: Container vulnerability scanner + - Location: `/opt/executables/trivy` + - Usage: Container and filesystem scanning + +### Reconnaissance Tools + +- **Amass**: Attack surface mapping tool + - Location: `/opt/executables/amass` + - Usage: Network mapping and asset discovery + +- **DNSx**: DNS toolkit + - Location: `/opt/executables/dnsx` + - Usage: DNS enumeration and discovery + +- **HTTPx**: HTTP toolkit + - Location: `/opt/executables/httpx` + - Usage: HTTP probe and analyzer + +### Utility Tools + +- **YQ**: YAML processor + - Location: `/opt/executables/yq` + - Usage: YAML/JSON processing + +- **GRPCurl**: gRPC testing tool + - Location: `/opt/executables/grpcurl` + - Usage: gRPC API testing + +- **Gron**: JSON flattening utility + - Location: `/opt/executables/gron` + - Usage: Make JSON greppable + +## Wordlists and Resources + +Located in `/opt/lists/`: +- SubDomains: `subdomains_top_110000.txt` +- Infrastructure: `common_router_ips.txt`, `common_http_ports.txt` +- Web Content: `directory_brute_medium.txt`, `directory_brute_common.txt` +- Passwords: `rockyou.txt` +- SNMP: `snmp.txt` +- Variables: `secret_keywords.txt` + +## Python Environment + +A dedicated Python virtual environment is available at `/opt/pyenv/` with: +- Requests: HTTP library +- Semgrep: Pattern-based code scanning + +## Development Tools + +- Go language environment +- AWS CLI v2 +- PowerShell Core diff --git a/docs/tools/netsec-tools.md b/docs/tools/netsec-tools.md new file mode 100644 index 0000000..85e6ff1 --- /dev/null +++ b/docs/tools/netsec-tools.md @@ -0,0 +1 @@ +# WIP diff --git a/docs/tools/rice-tools.md b/docs/tools/rice-tools.md new file mode 100644 index 0000000..f1fd01c --- /dev/null +++ b/docs/tools/rice-tools.md @@ -0,0 +1,119 @@ +# Rice Variant Tools + +The Rice variant enhances the General variant with the CLI Productivity Suite and additional convenience tools. It maintains all security tools from the General variant while adding productivity enhancements. + +## CLI Productivity Enhancements + +### Shell Environment + +- **Oh My Zsh**: Enhanced shell framework + - Location: `/root/.oh-my-zsh/` + - Features: + - Spaceship prompt theme + - Auto-suggestions + - Syntax highlighting + - Git integration + +- **Tmux Configuration**: Enhanced terminal multiplexer + - Location: `/root/.tmux/` + - Custom key bindings + - Status bar enhancements + - Plugin management + +### Enhanced Utilities + +- **FZF**: Fuzzy finder + - Location: `/root/.fzf/` + - Usage: Enhanced command history search + - File and directory fuzzy finding + +- **LSD**: Enhanced ls command + - Location: System PATH + - Usage: Improved file listing with icons + +- **Neovim**: Advanced text editor + - Location: System installation + - Includes NvChad configuration + - Enhanced development features + +## Security Tools + +Includes all tools from the General variant: + +### Web Security Tools + +- Gobuster +- FFuf +- Hakrawler +- Nuclei + +### Network Tools + +- Fingerprintx +- Subfinder +- HTTPx +- DNSx + +### Infrastructure Tools + +- Trivy +- AWS CLI +- PowerShell Core + +## Additional Features + +### Enhanced Navigation + +- Custom shell aliases +- Directory shortcuts +- Command history preservation +- Cross-session history + +### Development Support + +- Enhanced Git integration +- Improved code completion +- Better syntax highlighting +- Development tool integration + +## Productivity Features + +### Shell Improvements + +The CLI Productivity Suite adds: +- Intelligent command history +- Enhanced tab completion +- Directory navigation shortcuts +- Custom aliases and functions + +### Editor Enhancements + +NeoVim configuration includes: +- Code syntax highlighting +- File navigation +- Split pane management +- Plugin system + +### Terminal Multiplexer + +Tmux enhancements include: +- Session management +- Window organization +- Pane controls +- Status information + +## Standard Tools + +All tools from the General variant remain available: +- Security assessment tools +- Network utilities +- Development tools +- System utilities + +## Resource Location + +The standard CST directory structure is maintained: +- `/opt/executables/`: Binary tools +- `/opt/pyenv/`: Python environment +- `/opt/lists/`: Security wordlists +- `/persist/`: Persistent storage diff --git a/docs/variants/cloud.md b/docs/variants/cloud.md new file mode 100644 index 0000000..e27b9e6 --- /dev/null +++ b/docs/variants/cloud.md @@ -0,0 +1,28 @@ +# Cloud Variant + +The Cloud variant extends the General variant with specialized tools for cloud security assessments and operations across major cloud providers. + +### Focus Areas + +Cloud security capabilities include: +- Infrastructure security assessment +- Cloud configuration analysis +- Identity and access management review +- Container security scanning +- Serverless function analysis + +This variant excels at: +- Cloud security posture assessments +- Cloud penetration testing +- Cloud architecture review +- Compliance checking +- Resource enumeration + +### Notable Tooling + +The Cloud variant includes specialized tools for: +- AWS environment assessment +- Azure security testing +- GCP security analysis +- Multi-cloud security scanning +- Cloud-native application security diff --git a/docs/variants/dev.md b/docs/variants/dev.md new file mode 100644 index 0000000..b78fd68 --- /dev/null +++ b/docs/variants/dev.md @@ -0,0 +1,21 @@ +# Dev Variant + +# `WIP - NOT AVAILABLE YET` + +The Dev variant provides a security-focused development environment with comprehensive language support and security testing tools. + +### Development Environment + +Includes robust support for: +- Python development with Anaconda +- Golang development environment +- Node.js and npm +- Security-focused IDEs and editors +- Testing frameworks + +Perfect for: +- Security tool development +- Secure application development +- Security automation +- CI/CD security integration +- Security research diff --git a/docs/variants/general.md b/docs/variants/general.md index 13ac980..3e8c82b 100644 --- a/docs/variants/general.md +++ b/docs/variants/general.md @@ -1,3 +1,32 @@ -WIP +# General Variant -General Variant +The General variant serves as both a standalone security operations environment and a base for building custom security-focused images. It provides a carefully selected set of core security tools and utilities while maintaining a clean, extensible structure. + +### Key Features + +- Core security assessment tools +- Network analysis utilities +- Common penetration testing tools +- Web application security tools +- Base for custom security images + +This variant is ideal for: +- Security professionals needing a reliable base environment +- Teams building custom security toolkits +- General security assessment work +- Quick security analysis tasks + +### Base Image Extension + +The General variant is designed to be extended. Create custom security-focused images by using it as a base: + +```dockerfile +FROM tanq16/cst-general:amd + +# Add custom tools and configurations +RUN apt-get update && apt-get install -y \ + your-additional-packages + +# Add custom scripts or tools +COPY ./custom-tools /opt/custom-tools +``` diff --git a/docs/variants/index.md b/docs/variants/index.md index c2bee99..3bf2db2 100644 --- a/docs/variants/index.md +++ b/docs/variants/index.md @@ -1,3 +1,14 @@ -WIP +# CST Variants Overview -Variants Home +The Containerized Security Toolkit provides purpose-built variants for different security operations. Each variant is available as `cst-:amd` for x86_64 systems and `cst-:arm` for ARM64 systems. + +## Variant Selection Guide + +Choose your variant based on primary use case: +- **General**: Basic security operations or base for custom images +- **Cloud**: Cloud security assessments and operations +- **Dev**: Security tool and application development +- **Netsec**: Network security testing and monitoring +- **Rice**: Enhanced productivity for daily security work + +Each variant follows CST's core conventions while providing specialized capabilities for its target use case. diff --git a/docs/variants/netsec.md b/docs/variants/netsec.md new file mode 100644 index 0000000..03f2354 --- /dev/null +++ b/docs/variants/netsec.md @@ -0,0 +1,21 @@ +# Netsec Variant + +# `WIP - NOT AVAILABLE YET` + +The Network Security variant focuses on network assessment, monitoring, and security testing tools. + +### Capabilities + +Specialized for: +- Network vulnerability assessment +- Protocol analysis +- Traffic monitoring +- Wireless network testing +- Network forensics + +Ideal applications include: +- Network penetration testing +- Security monitoring +- Network architecture review +- Protocol security assessment +- Network forensics analysis diff --git a/docs/variants/rice.md b/docs/variants/rice.md index f39fa75..8e6b54b 100644 --- a/docs/variants/rice.md +++ b/docs/variants/rice.md @@ -1,3 +1,28 @@ -WIP +# Rice Variant -Rice Variant +The Rice variant enhances the General variant with the CLI Productivity Suite, creating an efficient and user-friendly security operations environment. + +### Enhancements + +The Rice variant adds: +- Customized shell configuration +- Enhanced terminal utilities +- Productivity shortcuts +- Improved text editors +- Workflow optimizations + +Perfect for: +- Daily security operations +- Extended terminal sessions +- Text-based workflows +- Security research and documentation +- Efficient command-line work + +### Rice-Specific Features + +The integrated CLI Productivity Suite provides: +- Custom shell prompts +- Advanced tab completion +- Git integrations +- Enhanced navigation +- Improved visibility features diff --git a/mkdocs.yml b/mkdocs.yml index 88cac7e..d3396f0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,5 +1,5 @@ site_name: Containerized Security Toolkit -site_url: https://tanq16.github.io/containerized-security-toolkit +site_url: https://tanishq.page/containerized-security-toolkit repo_name: tanq16/containerized-security-toolkit repo_url: https://github.com/tanq16/containerized-security-toolkit @@ -61,6 +61,8 @@ nav: - Overview: variants/index.md - General: variants/general.md - Cloud: variants/cloud.md + - Dev: variants/dev.md + - NetSec: variants/netsec.md - Rice: variants/rice.md - Tools List: - General: tools/general-tools.md @@ -70,7 +72,6 @@ nav: - Shell Shortcuts: advanced/shortcuts.md - SSH & TMUX: advanced/ssh-tmux.md - DIY Build: advanced/build.md - - Example Workflow: advanced/rice-workflow.md # Markdown extensions markdown_extensions: diff --git a/scripts/cloud-builder.sh b/scripts/cloud-builder.sh new file mode 100644 index 0000000..c2cae7a --- /dev/null +++ b/scripts/cloud-builder.sh @@ -0,0 +1,5 @@ +cd images/general + +docker build -f builder.Dockerfile -t intermediate_builder . +docker builder prune -f +docker build -t cst-cloud .