-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathDockerfile
168 lines (160 loc) · 13.1 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
FROM golang:alpine as golang
LABEL NAME="Hacker Container" MAINTAINER="Madhu Akula"
RUN apk add --no-cache git \
&& go install github.com/aquasecurity/kube-bench@latest \
&& go install github.com/OJ/gobuster@latest \
&& git clone https://github.com/cyberark/kubeletctl \
&& cd kubeletctl && go install github.com/mitchellh/gox@latest \
&& go mod vendor && go fmt ./... && mkdir -p build \
&& if [ `uname -m` == "aarch64" ]; then ARCH="linux/arm64"; else ARCH="linux/amd64"; fi \
&& GOFLAGS=-mod=vendor gox -ldflags "-s -w" --osarch=$ARCH -output "build/kubeletctl_local_build"
FROM alpine:3.14
LABEL NAME="Hacker Container" MAINTAINER="Madhu Akula"
ENV DOCKER_VERSION=19.03.9
ENV KUBECTL_VERSION=1.24.0
ENV HELM_VERSION=3.2.2
ENV HELMV2_VERSION=2.16.7
ENV AUDIT2RBAC_VERSION=0.8.0
ENV AMICONTAINED_VERSION=0.4.9
ENV KUBESEC_VERSION=2.11.4
ENV CFSSL_VERSION=1.6.4
ENV AMASS_VERSION=3.6.3
ENV KUBECTL_WHOCAN_VERSION=0.4.0
ENV ETCDCTL_VERSION=3.4.9
ENV KUBEBENCH_VERSION=0.3.0
ENV GITLEAKS_VERSION=8.8.11
ENV TLDR_VERSION=0.6.1
ENV KUBEAUDIT_VERSION=0.18.0
ENV POPEYE_VERSION=0.9.0
ENV HADOLINT_VERSION=2.10.0
ENV CONFTEST_VERSION=0.21.0
WORKDIR /tmp
COPY --from=golang /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=golang /go/bin/gobuster /usr/local/bin/gobuster
COPY --from=golang /go/kubeletctl/build/kubeletctl_local_build /usr/local/bin/kubeletctl
COPY pwnchart /root/pwnchart
RUN if [ `uname -m` == "aarch64" ]; then \
apk --no-cache add \
curl wget bash htop nmap nmap-scripts python3 python2 py3-pip ca-certificates bind-tools \
coreutils iputils net-tools git unzip whois tcpdump openssl proxychains-ng procps zmap scapy \
netcat-openbsd redis postgresql-client mysql-client masscan nikto ebtables perl-net-ssleay \
&& curl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/arm64/kubectl \
&& mv kubectl /usr/local/bin/kubectl \
&& curl -fSLO https://github.com/Shopify/kubeaudit/releases/download/v${KUBEAUDIT_VERSION}/kubeaudit_${KUBEAUDIT_VERSION}_linux_arm64.tar.gz \
&& tar -xvzf kubeaudit_${KUBEAUDIT_VERSION}_linux_arm64.tar.gz && mv kubeaudit /usr/local/bin/kubeaudit \
&& curl -fSLO https://github.com/derailed/popeye/releases/download/v${POPEYE_VERSION}/popeye_Linux_arm64.tar.gz \
&& tar -xvzf popeye_Linux_arm64.tar.gz && mv popeye /usr/local/bin/popeye \
&& curl -fSL https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-arm64 \
-o /usr/local/bin/hadolint \
&& curl -fSLO https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_arm64.tar.gz \
&& tar -xvzf conftest_${CONFTEST_VERSION}_Linux_arm64.tar.gz && mv conftest /usr/local/bin/conftest \
&& curl -LO https://get.helm.sh/helm-v${HELM_VERSION}-linux-arm64.tar.gz \
&& tar -zxvf helm-v${HELM_VERSION}-linux-arm64.tar.gz && mv linux-arm64/helm /usr/local/bin/helm \
&& curl -LO https://get.helm.sh/helm-v${HELMV2_VERSION}-linux-arm64.tar.gz \
&& tar -zxvf helm-v${HELMV2_VERSION}-linux-arm64.tar.gz && mv linux-arm64/helm /usr/local/bin/helm2 \
&& curl -LO https://github.com/liggitt/audit2rbac/releases/download/v${AUDIT2RBAC_VERSION}/audit2rbac-linux-arm64.tar.gz \
&& curl -fSL https://github.com/adamhurm/amicontained/releases/download/v${AMICONTAINED_VERSION}/amicontained_linux_arm64 \
-o /usr/local/bin/amicontained \
&& curl -fSLO https://github.com/controlplaneio/kubesec/releases/download/v${KUBESEC_VERSION}/kubesec_linux_arm64.tar.gz \
&& tar -xvzf kubesec_linux_arm64.tar.gz && mv kubesec /usr/local/bin/kubesec \
&& curl -fSL https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssl_${CFSSL_VERSION}_linux_arm64 \
-o /usr/local/bin/cfssl \
&& curl -fSLO https://github.com/OWASP/Amass/releases/download/v${AMASS_VERSION}/amass_linux_arm64.zip \
&& unzip amass_linux_arm64.zip && mv amass_linux_arm64/amass /usr/local/bin/amass \
&& mv amass_linux_arm64/examples/wordlists /usr/share/wordlists \
&& curl -fSL https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz \
-o /usr/share/wordlists/rockyou.txt.tar.gz \
# For now we are just using the k8s manifests for leveraging the kube-hunter, in future we should support the local package
&& curl -fSLO https://github.com/aquasecurity/kubectl-who-can/releases/download/v${KUBECTL_WHOCAN_VERSION}/kubectl-who-can_linux_arm64.tar.gz \
&& tar -xvzf kubectl-who-can_linux_arm64.tar.gz \
&& mv kubectl-who-can /usr/local/bin/kubectl-who-can \
&& curl -fSLO https://download.docker.com/linux/static/stable/aarch64/docker-${DOCKER_VERSION}.tgz \
&& tar -xvzf docker-${DOCKER_VERSION}.tgz && mv docker/* /usr/local/bin/ \
&& curl -fsLO https://github.com/isacikgoz/tldr/releases/download/v${TLDR_VERSION}/tldr_${TLDR_VERSION}_linux_arm64.tar.gz \
&& tar -xvzf tldr_${TLDR_VERSION}_linux_arm64.tar.gz && mv tldr /usr/local/bin/ \
&& curl -fSLO https://github.com/etcd-io/etcd/releases/download/v${ETCDCTL_VERSION}/etcd-v${ETCDCTL_VERSION}-linux-arm64.tar.gz \
&& tar -xvzf etcd-v${ETCDCTL_VERSION}-linux-arm64.tar.gz && mv etcd-v${ETCDCTL_VERSION}-linux-arm64/etcdctl /usr/local/bin/ \
&& git clone https://github.com/docker/docker-bench-security.git /root/docker-bench-security \
&& git clone https://github.com/CISOfy/lynis /root/lynis \
&& git clone --depth 1 https://github.com/drwetter/testssl.sh.git /usr/share/testssl \
&& ln -s /usr/share/testssl/testssl.sh /usr/local/bin/testssl \
&& curl -fSLO https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_arm64.tar.gz \
&& tar -xzvf gitleaks_${GITLEAKS_VERSION}_linux_arm64.tar.gz \
&& mv gitleaks /usr/local/bin/gitleaks \
&& curl -fSL https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /usr/local/bin/linenum \
&& git clone --depth 1 https://github.com/pentestmonkey/unix-privesc-check.git /root/unix-privesc-check \
&& curl -fSL https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -o /usr/local/bin/linux-exploit-suggester \
&& curl -fSL https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh -o /usr/local/bin/postenum \
&& git clone https://github.com/aquasecurity/kube-hunter /root/kube-hunter \
&& chmod a+x /usr/local/bin/linenum /usr/local/bin/linux-exploit-suggester /usr/local/bin/cfssl /usr/local/bin/hadolint /usr/local/bin/conftest \
/usr/local/bin/postenum /usr/local/bin/gitleaks /usr/local/bin/kubectl /usr/local/bin/amicontained /usr/local/bin/kubeaudit /usr/local/bin/popeye /usr/local/bin/kubeletctl \
&& pip3 install --no-cache-dir awscli truffleHog \
&& echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/main' >> /etc/apk/repositories \
&& echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/community' >> /etc/apk/repositories \
&& apk update && apk add mongodb yaml-cpp=0.6.2-r2 \
# use musl linker
&& ln -s /lib/ld-musl-aarch64.so.1 /lib/ld-linux-aarch64.so.1 \
&& rm -rf /tmp/* ; \
else \
apk --no-cache add \
curl wget bash htop nmap nmap-scripts python3 python2 py3-pip ca-certificates bind-tools \
coreutils iputils net-tools git unzip whois tcpdump openssl proxychains-ng procps zmap scapy \
netcat-openbsd redis postgresql-client mysql-client masscan nikto ebtables perl-net-ssleay \
&& curl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \
&& mv kubectl /usr/local/bin/kubectl \
&& curl -fSLO https://github.com/Shopify/kubeaudit/releases/download/v${KUBEAUDIT_VERSION}/kubeaudit_${KUBEAUDIT_VERSION}_linux_amd64.tar.gz \
&& tar -xvzf kubeaudit_${KUBEAUDIT_VERSION}_linux_amd64.tar.gz && mv kubeaudit /usr/local/bin/kubeaudit \
&& curl -fSLO https://github.com/derailed/popeye/releases/download/v${POPEYE_VERSION}/popeye_Linux_x86_64.tar.gz \
&& tar -xvzf popeye_Linux_x86_64.tar.gz && mv popeye /usr/local/bin/popeye \
&& curl -fSL https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64 \
-o /usr/local/bin/hadolint \
&& curl -fSLO https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz \
&& tar -xvzf conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz && mv conftest /usr/local/bin/conftest \
&& curl -LO https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz && mv linux-amd64/helm /usr/local/bin/helm \
&& curl -LO https://get.helm.sh/helm-v${HELMV2_VERSION}-linux-amd64.tar.gz \
&& tar -zxvf helm-v${HELMV2_VERSION}-linux-amd64.tar.gz && mv linux-amd64/helm /usr/local/bin/helm2 \
&& curl -LO https://github.com/liggitt/audit2rbac/releases/download/v${AUDIT2RBAC_VERSION}/audit2rbac-linux-amd64.tar.gz \
&& curl -fSL https://github.com/genuinetools/amicontained/releases/download/v${AMICONTAINED_VERSION}/amicontained-linux-amd64 \
-o /usr/local/bin/amicontained \
&& curl -fSLO https://github.com/controlplaneio/kubesec/releases/download/v${KUBESEC_VERSION}/kubesec_linux_amd64.tar.gz \
&& tar -xvzf kubesec_linux_amd64.tar.gz && mv kubesec /usr/local/bin/kubesec \
&& curl -fSL https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssl_${CFSSL_VERSION}_linux_amd64 \
-o /usr/local/bin/cfssl \
&& curl -fSLO https://github.com/OWASP/Amass/releases/download/v${AMASS_VERSION}/amass_linux_amd64.zip \
&& unzip amass_linux_amd64.zip && mv amass_linux_amd64/amass /usr/local/bin/amass \
&& mv amass_linux_amd64/examples/wordlists /usr/share/wordlists \
&& curl -fSL https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz \
-o /usr/share/wordlists/rockyou.txt.tar.gz \
&& curl -fSLO https://github.com/aquasecurity/kubectl-who-can/releases/download/v${KUBECTL_WHOCAN_VERSION}/kubectl-who-can_linux_x86_64.tar.gz \
&& tar -xvzf kubectl-who-can_linux_x86_64.tar.gz \
&& mv kubectl-who-can /usr/local/bin/kubectl-who-can \
&& curl -fSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
&& tar -xvzf docker-${DOCKER_VERSION}.tgz && mv docker/* /usr/local/bin/ \
&& curl -fsLO https://github.com/isacikgoz/tldr/releases/download/v${TLDR_VERSION}/tldr_${TLDR_VERSION}_linux_amd64.tar.gz \
&& tar -xvzf tldr_${TLDR_VERSION}_linux_amd64.tar.gz && mv tldr /usr/local/bin/ \
&& curl -fSLO https://github.com/etcd-io/etcd/releases/download/v${ETCDCTL_VERSION}/etcd-v${ETCDCTL_VERSION}-linux-amd64.tar.gz \
&& tar -xvzf etcd-v${ETCDCTL_VERSION}-linux-amd64.tar.gz && mv etcd-v${ETCDCTL_VERSION}-linux-amd64/etcdctl /usr/local/bin/ \
&& git clone https://github.com/docker/docker-bench-security.git /root/docker-bench-security \
&& git clone https://github.com/CISOfy/lynis /root/lynis \
&& git clone --depth 1 https://github.com/drwetter/testssl.sh.git /usr/share/testssl \
&& ln -s /usr/share/testssl/testssl.sh /usr/local/bin/testssl \
&& curl -fSLO https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz \
&& tar -xzvf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz \
&& mv gitleaks /usr/local/bin/gitleaks \
&& curl -fSL https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /usr/local/bin/linenum \
&& git clone --depth 1 https://github.com/pentestmonkey/unix-privesc-check.git /root/unix-privesc-check \
&& curl -fSL https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -o /usr/local/bin/linux-exploit-suggester \
&& curl -fSL https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh -o /usr/local/bin/postenum \
# For now we are just using the k8s manifests for leveraging the kube-hunter, in future we should support the local package
&& git clone https://github.com/aquasecurity/kube-hunter /root/kube-hunter \
&& chmod a+x /usr/local/bin/linenum /usr/local/bin/linux-exploit-suggester /usr/local/bin/cfssl /usr/local/bin/hadolint /usr/local/bin/conftest \
/usr/local/bin/postenum /usr/local/bin/gitleaks /usr/local/bin/kubectl /usr/local/bin/amicontained /usr/local/bin/kubeaudit /usr/local/bin/popeye /usr/local/bin/kubeletctl \
&& pip3 install --no-cache-dir awscli truffleHog \
&& echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/main' >> /etc/apk/repositories \
&& echo 'http://dl-cdn.alpinelinux.org/alpine/v3.9/community' >> /etc/apk/repositories \
&& apk update && apk add mongodb yaml-cpp=0.6.2-r2 \
&& rm -rf /tmp/* ; \
fi
WORKDIR /root
CMD [ "/bin/sh" ]